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Chapter 1 
Introduction 


In the late nineteenth and early twentieth century, formal systems for mathemat¬ 
ical reasoning were developed by pioneers such as Frege [Frege, 1879], Russell, and 
Whitehead [Whitehead and Russell, 1925]. In principle all mathematical arguments 
could be written in some formal system and verifying the validity of these proofs 
would be a simple, but tedious, syntactic check. No person would want to engage 
in such a task, but modern computers excel at quickly performing simple, tedious 
tasks. Automated proof checkers have been developed that can quickly verify the 
validity of mathematical arguments that are written in their formal systems. 

Proof checkers are an ideal way of verifying mathematical arguments because they 
are fast and reliable. What remains difficult is converting standard mathematical 
arguments on paper into a formal language that is suitable for software verification. 
In a formal proof, no details of an argument can be omitted. 

To aid people in the composition of formalized mathematics, proof assistants have 
been developed. These proof assistants contain an automated proof checker in the 
kernel of their code. The rest of the software supports the interactive development 
of formal proofs. They manage what goals remain to be proven and which assump¬ 
tions are available to prove those goals. They provide tools for automatically 
solving or reducing certain goals. However, even with all this assistance, creating 
formal proofs is a difficult and time consuming task for all but the simplest mathe¬ 
matical arguments. In this thesis I will develop some new tools that will lift some 
of this burden. 


1.1 Main Topics and Contributions 

This thesis is divided into two parts. In Part I, I discuss my development and veri¬ 
fication of the Godel-Rosser incompleteness theorem, which I undertook in order to 
better understand the difficulties of creating formal proofs. This new formal proof 
is more general than the previous formal proof of the incompleteness the¬ 
orem [Shankar, 1994]. In Part II, using lessons learned about formalization from 
Part I, I develop a constructive theory of real numbers. This formalization extends 
previous work on constructive real analysis [Cruz-Filipe, 2004] by adding feasible 
evaluation of approximations of elementary real number expressions. The two parts 
are independent of each other and can be read separately. The theorems in this 
thesis have been developed and verified with the Coq proof assistant [The Coq 
Development Team, 2004], 
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1.1.1 Part I 

I chose to verify the Godel-Rosser incompleteness theorem because the proof is 
simple enough that it is covered in undergraduate mathematics courses, and I felt it 
was an extreme example of a mathematical proof whose details are omitted during 
its presentation. I tried to follow a traditional mathematical argument, and I 
mostly succeeded, but I learned that many of the traditional structures and argu¬ 
ments for this proof are difficult to encode in a formal proof. I have identified sev¬ 
eral aspects of the proof where non-traditional structures and arguments may be 
easier to use. Another lesson I learned is that one should spend time researching 
and thinking about how to simplify aspects of a proof before formalizing it. This 
pressure to invent more general data structures and proofs is a useful side effect of 
the formalization process. 

1.1.2 Part II 

In Part II, I develop a new approach to metric spaces. I define the completion of an 
arbitrary metric space, and I give detailed paper proofs of properties of my metric 
spaces. The paper proofs were written before formalization so that I could antici¬ 
pate difficulties and adjust definitions. I then develop the real numbers as the ana¬ 
lytic completion of the rationals and define common trigonometric operations on 
them. Because my data structures and functions have reasonable efficiency, the 
operations are feasible to execute. Formal proofs ensure that the operations are 
correct. 

The primary purpose of developing a completion operation for metric spaces was to 
create an efficient real number implementation. However, the resulting completion 
operation is generic and can be used to complete other metric spaces. To illustrate 
this, I develop two other complete metric spaces: the completion of rational step 
functions, yielding integrable functions, and the completion of finite sets, yielding 
the compact sets. 

The library I have developed could be used to create a scientific calculator that can 
evaluate real number expressions to arbitrary precision and guarantee that the 
results are correct. Furthermore, by using the theory of compact sets, one could 
create a graphing calculator with provably correct plots of functions. Because the 
computations are certified with formal proofs, the computations can be used inside 
proofs. 

Using computation inside proofs is a powerful technique. The proof of the four 
colour theorem [Apple and Haken, 1976] and Kepler’s conjecture [Hales, 2002] both 
make heavy use of computation in their proofs. Verified computation is an essential 
ingredient needed to formalize these proofs. Gonthier has successfully used this 
technique to verify the four colour theorem with the Coq proof assistant [Gonthier, 
2005]. I believe that my theory of real numbers provides the tools needed to verify 
Hales’s proof of the Kepler conjecture as well as other proofs that make use of real 
number computation, such as the disproof of Mertens conjecture [Odlyzko and 
teRiele, 1985]. More importantly, I believe the ideas in this part will prove useful 
for creating the next generation of effective implementations of constructive anal¬ 
ysis. 




Chapter 2 
Preliminaries 


Constructive logic is usually presented as a restriction of classical logic where proof 
by contradiction and the law of the excluded middle are not allowed. However, con¬ 
structive logic can also be presented as an extension of classical logic. 

Consider formulas constructed from universal quantification (V), implication (=>), 
conjunction (A), true (“’). false (T), and equality for natural numbers (=n)- 
Define negation using these primitives. 

Definition 2.1. ->p := p=> _L. 

We call a formula p stable when =>■ p holds. One can (constructively) prove p 
is stable for any formula p generated from this set of connectives by induction on 
the structure of p because m =n n is provably stable, and the connectives listed 
above preserve stability. Thus, one can deduce classical results with constructive 
proofs for formulas generated from this restricted set of connectives. 

This set of connectives is not really restrictive though; it can be used to define the 
other classical connectives. 

Definition 2.2. Classical connectives: 

pV ip := ip) 

3x.p(x) := -<(\/x.-«p(x)). 

With this full set of connectives, one can produce classical mathematics. The law of 
the excluded middle (p V -xp) has a constructive proof when the classical disjunc¬ 
tion is used. As long as we have a stable goal we can do case analysis on the clas¬ 
sical disjunction. 

Theorem 2.3. Assuming that <p V ip holds, we have p =$■ 9 and ip => 6, and 6 is 
stable, meaning -i-i 9=>9, then 6 holds. 

Proof. Because 9 is stable, it is sufficient to prove that ->->6 holds. Assume that 
-i 9 holds. From this and the contrapositive of <p =$■ 9 we can conclude that -op 
holds. Similarly -tip holds. But we have that -'(-'<p A ->ip) holds from the definition 
of pV ip. Thus we have a contradiction, as required. □ 


3 




Preliminaries 


We have a similar theorem for the classical existential. 


Theorem 2.4. Assuming that 3x. p(x) holds, we have \/x. p(x) => 9, and 9 is 
stable, meaning ->->9 => 9, then 9 holds. 


Proof. Because 9 is stable, it is sufficient to prove that ->->9 holds. Assume that 
->9 holds. From this and the contrapositive of p(x) => 9 we can conclude that 
Vx.->p(x) holds. But we have that -i(Va:.-iy(a:)) holds from the definition of 
3 x.p(x). Thus we have a contradiction, as required. □ 


So far, these two theorems can always be used because for any given formula 9, we 
can prove ->->6 => 9. 

Now let us extend this logic by adding two new connectives, the constructive dis¬ 
junction (V) and the constructive existential (3). These new connectives come 
equipped with their constructive rules of inference given by natural deduc¬ 
tion [Thompson, 1991]. These constructive connectives are slightly stronger than 
their classical counterparts. Constructive excluded middle {p V -up) cannot be 
deduced in general, and our inductive argument that —iqp => p holds no longer goes 
through if p uses these constructive connectives. Therefore, statements such as 
(-■<£=> <p) => (ip=> p) are not general tautologies in constructive logic, but one can 
prove such statements when p is a stable formula. 

We wish to use constructive reasoning because constructive proofs have a computa¬ 
tional interpretation. A constructive proof of p V ip tells which of the two disjuncts 
hold. A proof of 3n: N. p(n) gives an explicit value for n that makes p(n) hold. 
Most importantly, we have a functional interpretation of => and V. A proof of 
Vn: N.3m: N. p(n, m) is interpreted as a function with an argument n that returns 
an to paired with a proof of p(n, to). 

The classical fragment also admits this functional interpretation, but formulas in 
the classical fragment typically end in ... => _L. These functions take their argu¬ 
ments and return a proof of false. Of course, there is no proof of false, so it must 
be the case that the arguments cannot simultaneously be satisfied. Therefore, these 
functions can never be executed. It turns out that only trivial functions such as 
this are created by proofs of classical formulas. This is why constructive mathe¬ 
matics aims to strengthen classical results. We wish to create proofs with non¬ 
trivial functional interpretations. 

Constructive logic turns out to be compatible with classical logic. If one replaces 
the constructive existential and disjunction with their classical counterparts, then 
the resulting formula is a theorem if the original theorem was. In fact, the deduc¬ 
tive rules of constructive logic are a subset of the deductive rules of classical logic 
when connectives are reinterpreted this way. This means that constructive rea¬ 
soning can be understood by classical mathematicians, although classical mathe¬ 
maticians may find some of the reasoning unusual at times because they have a dif¬ 
ferent interpretation of the connectives. 




2.1 Dependently Typed Functional Programming 


Constructive mathematics is mathematics done with constructive logic. Some care 
needs to be taken when selecting the non-logical axioms to ensure that the compu¬ 
tational interpretation of the logic remains valid. Standard ZFC set theory used in 
mathematics implicitly assumes a classical logic, so it is not a useful choice; one 
would be essentially restricted to the classical portion of constructive logic. I will 
use a type theory called the calculus of (co)inductive constructions (CiC) [The Coq 
Development Team, 2004] as the mathematical foundation for this thesis. CiC adds 
inductive and coinductive data structures, such as natural numbers, lists, and 
streams, to constructive logic in a way that is compatible with the existing natural 
deduction style rules for constructive logic. In fact, most of the logical connectives 
are defined as inductive datatypes. Only (V) remains primitive and (=>) is defined 
as a special case of (V) (see Section 2.2.2). 

CiC is the foundation used by the Coq proof assistant, which is the system that I 
have used to verify the theorems in my thesis. I will attempt to present my work 
independent of any particular constructive foundation as much as possible so that 
the ideas can easily be transferred to other systems. However, I will make use of 
the notation from type theory in my presentation. 

From now on, I will generally leave out the word “constructive” from phrases 
like “constructive disjunction” and “constructive existential” and simply write “dis¬ 
junction” and “existential”. This follows the standard practice in constructive math¬ 
ematics of using names from classical mathematics to refer to some stronger con¬ 
structive notion. I will explicitly use the word “classical” when I wish to refer to 
classical concepts. Rather than saying a statement is true in constructive logic, 
which suggests a true/false dichotomy, I will say a statement holds or is proved. I 
may also say a statement is constructed , but I will usually reserve this term for 
constructive theorems outside the classical subset. 


2.1 Dependently Typed Functional Programming 

This computational interpretation of constructive deductions is given by the Curry- 
Howard isomorphism [Thompson, 1991]. This isomorphism associates formulas with 
dependent types, and proofs of formulas with functional programs of the associated 
dependent types. For example, the identity function Ax: A.x of type A => A repre¬ 
sents a proof of the tautology A=>A. Table 2.1 lists the association between logical 
connectives and type constructors. 


Logical Connective 

Type Constructor 

implication: => 

function type: => 

conjunction: A 

product type: x 

disjunction: V 

disjoint union type: + 

true: T 

unit type: () 

false: 

void type: 0 

for all: Vx. ip(x) 

dependent function type: Tlx. ip(x) 

exists: 3x.ip(x ) 

dependent pair type: Ex. (p(x ) 


Table 2.1. The association between formulas and types given by the Curry-Howard is 
morphism. 
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In dependent type theory, functions from values to types are allowed. Using types 
parametrized by values, one can create dependent pair types, T,x: A. (p(x), and 
dependent function types, IIx: A.ip(x). A dependent pair consists of a value x of 
type A and a value of type <p(x). The type of the second value depends on the first 
value, x. A dependent function is a function from the type A to the type ip(x). The 
type of the result depends on the value of the input. 

The logical connectives and the type constructors from Table 2.1 mean the same 
thing, and I will use them interchangeably; however, I will usually prefer to use the 
logical connectives. Note that Coq has a sort of distinction between the two classes 
of connectives (see Section 2.3.2). 

The association between logical connectives and types can be carried over to con¬ 
structive mathematics. We associate mathematical structures, such as the natural 
numbers, with inductive types in functional programming languages. We associate 
atomic formulas with functions returning types. For example, we can define 
equality on the natural numbers, x =n y, as a recursive function: 

0=n0 := T 
S(ir)= N 0 := T 
0= N S (y) := T 
S(x) =in S(y) := x= K y 

One catch is that general recursion is not allowed when creating functions. The 
problem is that general recursion allows one to create a fixed point operator fix : 
(<p=> (fi) => ip that corresponds to a proof of a logical inconsistency. To prevent this, 
we allow only well-founded recursion over an argument with an inductive type. 
Because well-founded recursion ensures that functions always terminate, the lan¬ 
guage is not Turing complete. However, one can still express fast-growing func¬ 
tions, such as the Ackermann function, without difficulty by using higher-order 
functions [Thompson, 1991]. 

Because proofs and programs are written in the same language, we can freely mix 
the two. For example, I will represent the real numbers (see Definition 9.16 and 
Definition 11.1) by the type 

Bf: Q+ =► Q.Vei s 2 .\f(ei) - /(e 2 )| <*i + e* (2.1) 

A value of this type is a pair of a function /: Q+ => Q and a proof of 
Vex £ 2 . |/(£i) — /(£ 2 )| < £1 + £ 2 - The idea is that a real number is represented by a 
function / that maps any requested precision e: Q + to a rational approximation of 
the real number. Not every function of type Q + => Q represents a real number. 
Only those functions that have coherent approximations should be allowed. The 
proof object paired with / witnesses the fact that / has coherent approximations. 
This is one example of how mixing functions and formulas allows one to create pre¬ 
cise datatypes. 





2.1 Dependently Typed Functional Programming 


2.1.1 Evaluation 

This computational interpretation of constructive mathematics is more than a nice 
theoretical feature. The algorithms contained inside constructive proofs can actu¬ 
ally be executed inside the type theory. One can view this as part of Bishop’s pro¬ 
gram to see constructive mathematics as a programming language. For example, 
the expression 2 + 2 and the expression 4 are considered equivalent. They can be 
substituted for each other in any context, and the system will evaluate (2 + 2) to 4 
when necessary. 

A technique called reflection [Barendregt and Geuvers, 2001] uses this evaluation 
mechanism to allow one to create proofs by using computation. One example of 
this technique is used in Section 11.4.2 to prove the correctness of my definition of 
7r. Thus the computational and logical parts of type theory enhance each other. 
Correct algorithms can be used to create proofs, and proofs verify the logical cor¬ 
rectness of algorithms. 


2.1.2 Formalizing Mathematics with a Computer 

There are several different approaches to formalizing mathematics on a com¬ 
puter [Wiedijk, 2006]. Often people use a system that provides classical logic. 
Many systems implement classical higher-order logic, such as HOL Light, 
Isabelle/HOL, and PVS. A few systems implement classical set theory, such as 
Mizar and Isabelle/ZF. 

One of the main benefits of formalizing mathematics with a computer, aside from 
providing high assurance of correctness, is the ability for the computer to automate 
reasoning that would be too tedious to formalize by hand. This automated rea¬ 
soning can range from the mundane, automatically differentiating an expression, to 
the extreme, the huge case analysis needed in the four colour theorem [Gonthier, 
2005], 

Systems based on classical logic must perform this computation outside the logic, 
whereas a constructive system, such as Coq, can perform computation both on the 
outside, as Coq does with its tactic system, and on the inside, as Coq does with its 
evaluation mechanism. 

To prove the correctness of an algorithm using a classical system, generally one 
writes out the function first. Once the function is defined, one can use classical rea¬ 
soning to prove properties about that function. In a constructive system, one has 
the option to mix proofs into the definition of the function. This allows one to 
prove properties of a function as the function is defined. However, one still has the 
option of writing the function first and then reasoning about it. 

One can see the classical approach to correctness as taking a constructive theorem 
and Skolemizing the constructive existentials (and constructive disjunctions). The 
functions one initially writes become the instances of the Skolem functions in the 
transformed theorem. The resulting theorem is in the classical fragment of con¬ 
structive logic and classical arguments can be used to prove it. 
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I do not believe that there is anything to be gained by forcing a separation between 
the (classical) logical aspects and the algorithmic aspects when proving properties 
of algorithms. Sometimes this separation is a useful way to proceed, but usually 
the “flow” of the proof follows the “flow” of data in the algorithm. It makes sense to 
attach proof objects to values inside the algorithm, particularly when one wants to 
express an invariant of a datatype. I feel working with data and proofs together 
clarifies the development of algorithms and makes proving properties easier. Some¬ 
times one wants to prove a property of how two or more functions interact; for 
example, when proving one function distributes over another. In this case, it is usu¬ 
ally best to provide a proof separate from either function. 

When working in a constructive system, one has the option to avoid algorithmic 
development entirely and simply write a constructive proof. By its constructive 
nature, this proof can be executed to compute constructive witnesses. However, if 
no attention is paid to the construction, the resulting algorithms are often ineffi¬ 
cient. Therefore, it is wise to think of creating a constructive proof as a program¬ 
ming task as well as a mathematical task. One should take the same algorithmic 
considerations into account that one would when writing any other functional pro¬ 
gram. 


2.2 A Brief Introduction to Type Theory 

Types in type theory are similar to sets in set theory in that they are a collection 
of values. One important difference between type theory and set theory is that in 
type theory every value belongs to a unique type. I write a: A when a value a 
belongs to a type A. This means that the natural number Ik : N is distinct from 
the rational number 1 q : (Q because they belong to different types. However, I will 
often just write 1 and leave the distinction implicit. Values are also called “objects”; 
the two terms are synonymous. 

Quantifiers always range over some type; for example, Vx: N.x = 0 V By: N.x = S (y). 
Sometimes I will omit writing the type for the quantified variable when it is clear 
from context. 

One can form new types from existing types. Given types A and B, one can create 
the disjoint union type, A + B, the Cartesian product type, A x B, and the type of 
functions from A to B, A=> B. These types are the same as the logical connectives 
(V), (A), and (=>) respectively. The functions tti: A x B => A and 712: A x B => B 
are the first and second projection functions of the Cartesian product type. 

In type theory, proofs are objects, and propositions are types. This is known as the 
propositions-as-types interpretation. Propositions are types whose objects consist of 
all of their proofs. Therefore, one writes p: ip when p is a proof of <p. When a 
proposition has no proofs, it has no members. Thus it is the inhabited propositions 
that are the valid propositions. Propositions are also values that belong to the type 
of propositions. In Coq, the type of propositions is called Prop (see Section 2.3.2); 
however I will denote this type as * and write <p: *. Predicates can be seen as func¬ 
tions whose codomains are propositions. For example, predicates over the natural 
numbers will have the type N => *. 
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2.2.1 Inductive types 

CiC has inductive and coinductive types, so standard inductive types such as 
Booleans, natural numbers, integers, lists, binary trees, etc. are available as well as 
coinductive types such as infinite streams. I will use standard mathematical nota¬ 
tion for such types. 

A record is an inductive data type that has only one constructor. Coq has special 
notation for defining records that allows one to create the inductive type and the 
projection functions for its fields at the same time. 

A value of an inductive data type can be consumed by a structurally recursive 
function. These recursive functions can be evaluated inside type theory as men¬ 
tioned in Section 2.1.1. 

In addition to inductive types, inductive type families (also called inductive predi¬ 
cates) can be defined. In this case, the inductive definition produces not a type but 
a predicate. See Section 4.4 for an example of an inductively defined type family. 

2.2.2 Constructive Functions 

In classical mathematics, a classical function is a type of binary relation F satis¬ 
fying the property 

(\/x.3y.F(x, y)) A ( \/xyz.F(x , y) A F(x, z)=>y = z). 

In constructive mathematics, a (constructive) function is a value of type A => B, 
where => is a primitive connective. This => connective used in the function type is 
identical to the implication logical connective. In type theory, values of this con¬ 
structive function type are formed by specifying how the output is constructed 
from the input, usually using a lambda expression (see Section 2.2.4). Constructive 
functions can be evaluated internally in type theory as mentioned in Section 2.1.1. 
Additionally there is the dependent function type, written Vo: A.B(a), which is 
identical to the universal quantifier. In this case the codomain of the function can 
depend on the input parameter. Like the regular function type, values of a depen¬ 
dent function type are specified by lambda expressions and can be evaluated inter¬ 
nally in type theory. In fact, A => B is simply notation for Vo: A.B where B does 
not depend on a. 

2.2.3 Curried Functions 

A multi-argument function in mathematics is typically represented as a function 
whose domain is a Cartesian product. For example, a binary function would have 
the type A x B => C. It is traditional in functional programming to use curried 
functions. A curried binary function has type A => B => C (meaning A=> (B => C) 
by the usual associativity rule for =>), which can easily be shown to be isomorphic 
to A x B => C. When applying a curried binary function it would be more techni¬ 
cally accurate to write /(a)(6), but for clarity I will sometimes write /(a, 6) as if 
the function were not curried. 
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2.2.4 Anonymous Functions 

I will on occasion use anonymous functions. Anonymous functions—common in 
functional programming—are declared using the A symbol. For example, the recip¬ 
rocal function can be written as \x.x~ 1 and can be applied to arguments, as in 
(Aaua; -1 )^!^ is equal to 

2.2.5 Extensional Equality 

In this thesis I will use the equality sign ( = ) for extensional equality. Two func¬ 
tions /, g of the same type are considered extensionally equal when, for any input 
given to both functions, the outputs of the functions are extensionally equal: 

f = g:=Va.f{a) = g(a) 

Two values of an inductive type are extensionally equal when their constructors are 
the same and all parameters are extensionally equal. 

Extensional equality is the finest equality we will need in my thesis. However, Coq 
uses a finer equality called intensional equality (see Section 2.3.1) for its funda¬ 
mental equality. 

Another sort of equality that we will frequently use is setoid equality (see Sec¬ 
tion 2.2.8), which is generally coarser than extensional equality. 

2.2.6 No Subtypes 

Coq does not have subtyping. 21 This means that 7L cannot be considered as a sub- 
type of <Q. Functions, usually injections, are instead used to change data from one 
type to the other type. Coq has a coercion mechanism that will automatically infer 
many of these injections and hide the injections from being printed. Defining a 
coercion from Z to <Q allows one to use values of 7L as if they were values of Q. 

2.2.7 Predicates Instead of Sets 

Sets do not exist as such in type theory. Usually sets are replaced by predicates 
over a particular type. For example, subsets of the natural numbers are identified 
with N => *, predicates on the natural numbers. A value x satisfies a predicate P 
when P(x) is an inhabited type. Often I will use set theoretic notation to denote 
membership of a predicate: 

xGP := P(x) 

VxGP.ip := \/x.P(x)=> ip 
3 x€P.ip := 3x.P(x) Aip 

Similar quantifier notation will be used for inequalities such as Vi < n.ip and 
3 i > n. ip. 

2.1. Technically, Coq has subtyping in its universe levels, but we will not concern ourselves with 
universe levels in this thesis. 
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2.2.8 Setoids Instead of Quotients 

A quotient type is a type modulo a given equivalence relation on that type. For 
instance, the type (Q is often considered as a quotient of the type 7L x 1N + . CiC 
does not have quotient types. One instead passes around the equivalence relation in 
question. To do this, one often uses a data structure called a setoid. A setoid 
(A, is a type paired with an equivalence relation on that type. Functions 

between setoids that preserve their equivalence relations are called respectful. 
Proving that a function is respectful consists of the same work in traditional math¬ 
ematics needed to prove that a function over quotients is well-defined. Respectful 
functions are also called morphisms. 

2.2.8.1 Rewrite Automation 

Coq has special support for reasoning about setoids through its setoid_rewrite 
and setoid_replace tactics [Coen, 2004]. These tactics will automatically create 
the deductions for substitution of setoid equivalent terms into respectful functions 
and relations. This support makes reasoning about setoid equivalence almost as 
easy as reasoning about equality in Coq. 

Furthermore, Coq has the ability to define a database of rewrite lemmas. These 
lemmas have terms of the form a b for their conclusions. When they are added 
to the database the user indicates which way substitution should be performed (the 
same lemma can be added to different databases with different directions). The 
user can then use the database as a rewrite system to process a hypothesis or goal. 
The autorewrite <database> tactic will repeatedly try to use the lemmas in the 
named database to rewrite the goal. Well crafted rewrite databases can be used to 
quickly transform or simplify expressions. 

2.2.9 Apartness Instead of “Not Equal” 

In analysis, when considering Hausdorff spaces, it is often the case that being “not 
equal” is a non-stable atomic formula [Bauer and Taylor, 2008]. However, y is 
notation for ->x = y, and it is always stable. Therefore, constructive analysis uses a 
relation called apartness , written x#y, which is not necessarily stable. For 
example, the apartness relation for real numbers, := x < y V y < x, is not prov- 
ably stable. In these cases a c-setoid (a constructive setoid) data structure is often 
used instead of a setoid. A c-setoid (A, #a) is a type paired with an apartness rela¬ 
tion. In this case, a respectful function from a c-setoid A to a c-setoid B, is a func¬ 
tion /: A=>£? such that Vx, y: A. f(x)# B f(y) => x#aV- 

2.2.10 Classical Propositions Have One Proof 

All classical propositions have at most one proof, meaning that if p: ip and q: ip are 
two proof objects of the same classical proposition ip, then we can prove that p and 
q are (extensionally) equal, p = q. In general, I will denote all the unique proofs of 
classical propositions as * (e.g. *:T and *: T^t/?). 
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2.2.11 Omitted Parameters 

Throughout this thesis there are many places where I formally need to provide 
proofs of propositions as arguments to functions. However, to allow for a clearer 
presentation, I will usually omit these parameters. For example, the logarithm on 
rational numbers, lnq(a), requires a proof object showing that 0 <qo, but I do not 
show this parameter (see Section 11.4). 


2.3 Coq Specific Issues 


The previous section detailed the properties of the type theory I will be informally 
working in for this thesis. Although I made reference to the Coq system at times, 
the type theory I describe is fairly generic and should be easily adapted to work in 
many different implementations of type theory. However, my formal work has been 
done in the Coq proof assistant, so below I address some specific properties of Coq 
that are relevant to my formalization. 


2.3.1 Intensional Equality 

In type theory, functions are represented by the program that does the computa¬ 
tion. In Coq, two functions can only be proven equal if after normalization they are 
the same program. This means that if two functions are extensionally equal, they 
may not be intensionally equal in Coq. 

For inductive data types without functions as parameters to constructors, inten¬ 
sional equality coincides with extensional equality, so much of the time this distinc¬ 
tion does not matter. On those occasions where I need to deal with extensional 
equality between functions in Coq, I can often just expand out the definition of 
extensional equality. Thus, rather than trying to prove / = g, I prove Va. 
/(a) = g(a) instead. 


2.3.2 Prop versus Set 

The Coq system has a special universe called Prop. The Prop universe is like * in 
that it has types as members. The regular type universe is called Set and also has 
types as members, like *. 2 - 2 These two universes behave largely the same. Both 
universes have inductive types and function/implication types. When defining an 
inductive type, one specifies which universe the inductive type will inhabit. Func¬ 
tions in both universes can be evaluated inside Coq, as long as the functions are 
not opaque (see Section 2.3.3). 


2.2. There is also an infinite number of universe levels containing Set and Prop, but we can 
ignore this for our needs. 





2.3 Coq Specific Issues 


Generally the two universes serve to divide up types that are otherwise identical 
according to whether their values are intended to play a logical or functional role 
(recall Table 2.1). For each entry in Table 2.1, Coq has at least two operators, one 
for the logical side and one for the functional side. For example, Coq has one pro¬ 
duct for logical conjunction and another product for product types. Inductive types 
for both universes can have parameters whose types belong to either universe. In 
this way types from both universes can be mixed together. The only major differ¬ 
ence between the Prop and Set universes is in the way that case analysis for induc¬ 
tive types behave. Case analysis on an inductive type from the Prop universe is not 
allowed to result in a value in the Set universe. This prevents information from 
flowing from the Prop universe to the Set universe. This restriction allows Coq to 
optimize program extraction by throwing away all values from the Prop universe 
during program extraction [Paulin-Mohring, 1989]. This is safe because the case 
analysis restriction means that no value from the Set universe can depend on 
choices made in the Prop universe. 

There is an important exception to this case analysis rule. For the special case of 
inductive types declared in the Prop universe that have at most one constructor 
whose parameters are all from the Prop universe, case analysis is allowed to return 
values in the Set universe. Case analysis is safe in this instance because inductive 
types with at most one constructor provide no information; There will be only one 
branch in the case analysis. During program extraction, the case analysis is simply 
replaced by the code of this one branch. Since all the parameters are from the Prop 
universe, no parameters from the case analysis will occur in the code extracted 
from the one branch. 

Generally I only put inductive types in the Prop universe if they satisfy this special 
condition. 2 - 3 This allows me to enjoy unrestricted case analysis and still allow for 
efficient program extraction. 

I will not be making a Prop/Set distinction in my general discussion; however, I 
may refer to it when making comments specifically about the Coq implementation. 


2.3.3 Opaque Objects 

Theorems and definitions can be marked as opaque in Coq. Opaque definitions 
cannot be unfolded during computation. In this sense they behave much like 
axioms in Coq. Generally I make all objects in the Prop universe opaque and leave 
all objects in the Set universe as transparent. This usually works well because I 
ensure that all my objects from the Prop universe have no information (see Sec¬ 
tion 2.3.2). 


2.3. There are some cases when I would put inductive type families in Prop, even if they have mul¬ 
tiple constructors. However, all inductive type families in this thesis will be put in the Set uni- 
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One notable exception to making all Prop objects opaque would be a proof that a 
relation is well-founded. Even though the accessibility predicate is in the Prop uni¬ 
verse and satisfies the one constructor rule given in Section 2.3.2, it generally needs 
to be transparent so that well-founded induction over the relation can proceed. The 
other notable exception is that proofs of equality occasionally need to be trans¬ 
parent to allow “safe type-casts” 2 - 4 to be evaluated. 

Declaring objects as opaque is useful because it can prevent computation from 
expanding irrelevant definitions during evaluation. This is so useful that Coq also 
has a mechanism to temporarily mark certain definitions as opaque and make them 
transparent again later. 


2.3.4 Coq Notation 

On occasion I will use Coq’s concrete syntax to clearly specify the formal theorems 
I have proven. For those not familiar with Coq syntax, here is a short list of nota¬ 
tion. 

• ->, /\, \/, and ~ are the logical connectives =>, A, V, and >. 

• A + B, A * B, and A -> B form disjoint union types, Cartesian product 
types, and function types. 

• *, +, and S are the arithmetic operations of multiplication, addition, and 
successor. 

• ini and inr are the left and right injection functions of types A -> A + B 
and B -> A + B. 

• : :, and ++ are the list operations cons and append. 

• is an omitted parameter that Coq can infer itself. 

Function application is indicated by juxtaposition. Thus f(x) is written simply as 
f x in Coq. For more details see the Coq 8.0 reference manual [The Coq Develop¬ 
ment Team, 2004], 

to be transformed into a 


2.4. A safe type-cast allows a: A 
A = B. 


value of type B when given a proof of 
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Chapter 3 
Introduction 


In this part, I discuss my formal proof of the Godel-Rosser incompleteness theorem 
for arithmetic. The proof shows that any complete first-order theory of a suitable 
axiom system using only the symbols +, X , 0, S, and < is inconsistent. The 
axiom system must contain the nine axioms of a system called NN. These nine 
axioms define the five symbols. The axiom system must also be expressible in itself. 
This restriction prevents the incompleteness theorem from applying to axioms sys¬ 
tems such as the true first order sentences in N. Finally, the axiom system must be 
decidable, so that it is constructively decidable what is and is not a proof. This 
restriction is subtly, but significantly, different from requiring the axiom system to 
be computable. The difference is discussed later in Section 6.1. 

A computer-verified proof of Godel’s incompleteness theorem is not new. In 1986 
Shankar created a proof of the incompleteness of Z2, hereditarily finite set theory, 
in the Boyer-Moore theorem prover [Shankar, 1994]. My work is the first computer- 
verified proof of the essential incompleteness of arithmetic. Harrison recently com¬ 
pleted a proof in HOL Light [Harrison, 2000] of the essential incompleteness of Ei- 
complete theories, but has not shown that any particular theory is Ei-complete. 

My proof was developed and checked in Coq 7.3.1 using Proof General under 
XEmacs. It is part of the user contributions to Coq and can now be checked in 
Coq 8.0 [The Coq Development Team, 2004]. Examples of source code in this docu¬ 
ment use the new notation introduced in Coq 8.0. 

This part points out some of the more interesting problems I encountered formal¬ 
izing the incompleteness theorem. My proof loosely follows the presentation of 
incompleteness given in my undergraduate logic textbook, An Introduction to 
Mathematical Logic by Hodel [Hodel, 1995]. I use a more standard Hilbert-style 
deduction system rather than the one defined by Hodel. I referred to the supple¬ 
mentary text for the book Logic for Mathematics and Computer Science [Burris, 
1997] to construct Godel’s /3-function, and I take some inspiration from Shankar’s 
work as described in Metamathematics, Machines, and Godel’s Proof [Shankar, 
1994]. I also use Caprotti and Oostdijk’s contribution of Pocklington’s criterion 
[Caprotti and Oostdijk, 2001] to prove the Chinese remainder theorem. My proof is 
entirely constructive. 
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In this part, I first discuss my formalization of first-order classical logic over an 
arbitrary language (Chapter 4). This is followed by the definition of an axiom 
system called NN and the axiom system for Peano arithmetic. Then I discuss 
coding formulas and proofs as natural numbers followed by a discussion about 
primitive recursive functions operating on these codes (Chapter 5). Next I give the 
statement of the essential incompleteness of NN (Chapter 6). I discuss the fixed 
point theorem, Rosser’s incompleteness theorem, and the incompleteness of Peano 
arithmetic. Finally, I give some general remarks about my experience and how to 
extend my work in order to formalize Godel’s second incompleteness theorem 
(Chapter 9.5). 

This part is an expansion of my publication, “Essential Incompleteness of Arith¬ 
metic Verified by Coq” [O’Connor, 2005a]. 



Chapter 4 

First-Order Classical Logic 


The first step to prove the incompleteness theorem is to develop a theory of first 
order logic inside Coq. In essence Coq’s logic is a formal metalogic to reason about 
this internal logic. I created inductive types of well-formed terms and formulas 
parametrized over a first order language. I then created an inductive definition of 
Hilbert-style deductions for classical logic. 

I make essential use of Coq’s dependent type system. Terms and Formulas are 
types that depend on the language. Also, dependent types are used in the defini¬ 
tion of function and relation symbols so that the type system enforces that all 
terms and formulas be well-formed. This approach differs from Harrison’s definition 
of first order terms and formulas in HOL Light [Harrison, 1998a] because HOL 
Light does not have dependent types. 


4.1 Data Structures for Language 

I defined Language to be a dependent record of types for symbols and an arity 
function from symbols to N. The Coq code is: 

Record Language : Type := language 
{Relations : Set; 

Functions : Set; 

arity : Relations + Functions -> nat>. 

In retrospect it would have been slightly more convenient to use two arity functions 
instead of using the disjoint union type. 

The entire development of first-order logic is parametrized over this structure by 
using Coq’s section mechanism. 


4.2 Data Structures for Term and Formula 


For any language, a Term is either a variable indexed by a natural number or a 
function symbol plus a list of n terms where n is the arity of the function symbol. 
My first attempt at writing this in Coq failed. 
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Variable L : Language. 

(* Invalid definition *) 

Inductive TermO : Set := 

I varO : nat -> TermO 

I applyO : forall (f : Functions L) (1 : List TermO), 

(arity L (inr _ f))=(length 1) -> TermO. 

Some people may think that the occurrence of the List TermO type in applyO 
causes Coq to reject this definition; however, this is actually not problematic. It is 
the type (arity L (inr _ f)) = (length 1) that fails to meet Coq’s positivity 
requirement for inductive types. Expanding the definition of length reveals a 
hidden occurrence of TermO which is passed as an implicit argument to length. It 
is this occurrence that violates the positivity requirement. 

My second attempt met the positivity requirement, but it had other difficulties. 
First, one creates the well-known inductive family of types lists of length n, usually 
called Vector. 

Inductive Vector (A : Set) : nat -> Set := 

I Vnil : Vector A 0 
I Vcons : forall (a : A) (n : nat), 

Vector A n -> Vector A (S n). 

Using this I could have defined Term as follows. 

Variable L : Language. 

Inductive Terml : Set := 

I varl : nat -> Terml 
I applyl : forall f : Functions L, 

(Vector Terml (arity L (inr f))) -> Terml. 

My difficulty with this definition was that the induction principle generated by Coq 
is too weak to work with. The generated induction principle Terml_ind is: 

Terml_ind 

: forall P : Terml -> Prop, 

(forall n : nat, P (varl n)) -> 

(forall (f : Functions L) 

(v : Vector Terml (arity L (inr (Relations L) f))), 

P (applyl f v)) -> forall b : Terml, P b. 

Terml_ind requires showing P (applyl f v) for all f and v without any inductive 
hypothesis about v. If, for instance, one wants prove that a particular variable is 
not used in a term, one will need to verify that this holds for each term in the 
vector v; however, the inductive hypothesis for each term of the vector v is not 
available. 

Instead I created two mutually inductive types: Term and Terms. 

Variable L : Language. 
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Inductive Term : Set := 

I var : nat -> Term 
I apply : forall f : Functions L, 

Terms (arity L (inr f)) -> Term 
with Terms : nat -> Set := 

I Tnil : Terms 0 
I Tcons : forall n : nat, 

Term -> Terms n -> Terms (S n). 

Again the automatically generated induction principle is too weak, but the Scheme 
command generates suitable mutual-inductive principles. For example, the com¬ 
mand 

Scheme Term_Terms_rec := Minimality for Term Sort Set 
with Terms_Term_rec := Minimality for Terms Sort Set. 

generates a term of the following type. 

Term_Terms_rec 

: forall (P : Set) (PO : nat -> Set), 

(nat -> P) -> 

(forall f : Functions L, 

Terms (arity L (inr (Relations L) f)) -> 

PO (arity L (inr (Relations L) f)) -> P) -> 

PO 0 -> 

(forall n : nat. Term -> P -> Terms n -> PO n -> PO (S n)) -> 
Term -> P. 

In this case we have two “result” types. P is the result of evaluating on Term, while 
PO is the result of evaluation on Terms. 

The disadvantage of this approach is that useful lemmas about Vectors must be 
reproved for Terms. Some of these lemmas are quite tricky to prove because of the 
dependent type. For example, proving forall x : Terms 0, Tnil = x is surpris¬ 
ingly difficult. 

It turns out that the Terml definition would have been adequate. One can explic¬ 
itly make a sufficient induction principle by using nested Fixpoint functions 
[Marche, 2005]. 

Section RecursionDef. 

Variable P : Set. 

Variable PO : nat -> Set. 

Variable varcase : nat -> P. 

Variable applycase : 

forall f : Functions L, Vector Terml (arity L (inr f)) -> 

PO (arity L (inr f)) -> P. 
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Variable nilcase : PO 0. 

Variable conscase : 

forall n : nat, Terml -> P -> Vector Terml n -> PO n -> PO (S n) . 
Fixpoint Terml_rec_new (t : Terml) : P := 

let fix Termsl_rec (n : nat)(vec : (Vector Terml n)) {struct vec> : 
PO n : = 

match vec in (Vector _ n) return (PO n) with 
I Vnil => nilcase 
I Vcons term m terms => 

conscase m term (Terml_rec_new term) terms (Termsl_rec m terms) 

match t with 
I varl n => varcase n 

I applyl f terms => applycase f terms (Termsl_rec _ terms) 
end. 


End RecursionDef. 

I would recommend using something like the Terml definition with Terml_rec_new 
in future work. 

The definition of Formula was straightforward. 

Inductive Formula : Set := 

I equal : Term -> Term -> Formula 

I atomic : forall r : Relations L, Terms (arity L (ini r)) -> 
Formula 

I impH : Formula -> Formula -> Formula 
I notH : Formula -> Formula 
I forallH : nat -> Formula -> Formula. 

I defined the other logical connectives in terms of impH, notH, and forallH. 

Definition orH (A B : Formula) := impH (notH A) B. 

Definition andH (A B : Formula) := notH (orH (notH A) (notH B)). 
Definition iffH (A B : Formula) := andH (impH A B) (impH B A). 
Definition existH (x : nat) (A : Formula) := 
notH (forallH x (notH A)). 

The equals relation is part of the definition of Formula, so it does not occur as a 
relation symbol in the language. The nat parameter of forallH is the index of the 
variable being quantified. The Terms parameter occurring in atomic would be 
replaced with (Vector Terml) if the definition of Terml were used. The H at the 
end of the logic connectives, such as impH, stands for “Hilbert” and is used to distin¬ 
guish them from Coq’s connectives. 

For example, the formula —iVa;o- Vaq. xq = x\ is represented by: 




4.3 Definition of substituteFormula 23 


notH (forallH 0 (forallH 1 (equal (var 0) (var 1)))) 

There are two common alternatives to handle variable binding. One alternative is 
to use higher order abstract syntax to handle bound variables by giving forallH 
the type (Term -> Formula) -> Formula. I would represent the above example 


notH (forallH (fun x : Term => 

(forallH (fun y : Term => (equal x y))))) 

This technique would require additional work to disallow “exotic terms” that are 
created by passing a function into forallH that does a case analysis on the term 
and returning entirely different formulas in different cases. Despeyroux and 
Hirschowitz [Despeyroux and Hirschowitz, 1994] address this problem by creating a 
complicated predicate that only valid formulas satisfy. Recently, 
Chlipala [Chlipala, 2008] has created an elegant solution for using higher order 
abstract syntax. 

Another alternative is to use de Bruijn indices to eliminate named variables. How¬ 
ever dealing with free and bound variables with de Bruijn indices can be diffi¬ 
cult [McBride and McKinna, 2004a]. 

Using named variables allowed me to closely follow the standard way of writing for¬ 
mulas in mathematics. Using named variables is also helpful to persuade people of 
the correctness of the statement of the incompleteness theorem, which refers to the 
notion of provability and hence formulas. 

Renaming bound variables turned out to be a constant source of work during devel¬ 
opment, because variable names and terms were almost always abstract. In prin¬ 
ciple the variable names could conflict, so it was constantly necessary to consider 
this case and deal with it by renaming a bound variable to a fresh one. Perhaps it 
would have been better to use de Bruijn indices and a deduction system that only 
deduced closed formulas, or perhaps one of the alternative implementations of vari¬ 
ables that I discuss in Section 7.7. 


4.3 Definition of substituteFormula 


I defined the function substituteFormula to substitute a term for all occurrences 
of a free variable inside a given formula. While the definition of substituteTerm is 
simple structural recursion, substitution for formulas is complicated by quantifiers. 
Suppose we want to substitute the term s for aq in the formula Vxj. ip and i =f= j. 
Suppose xj is a free variable of s. If we naively perform the substitution, then the 
occurrences of Xj in s get captured by the quantifier. One common solution to this 
problem is to disallow substitution for a term s when s is not substitutable for Xi in 
ip. The solution I took was to rename the bound variable in this case: 


( y/xj. ip) [Xi/s ] := Vcc*;. (ip[xj/xu\) [xi/s\ where k^i and Xk is not free in ip or s 
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Unfortunately this definition is not structurally recursive. The second substitution 
operates on the result of the first substitution, which is not structurally smaller 
than the original formula. Coq will not accept this recursive definition as is; it is 
necessary to prove the recursion will terminate. I proved that substitution preserves 
the depth of a formula, and that each recursive call operates on a formula of 
smaller depth. 

One of McBride’s mantras says, “If my recursion is not structural, I am using the 
wrong structure” [McBride, 1999, p. 241], In this case, my recursion is not struc¬ 
tural because I am using the wrong recursion. Stoughton shows that it is easier to 
define substitution that substitutes all variables simultaneously because the recur¬ 
sion is structural [Stoughton, 1988]. If I had used this definition, I could have 
defined substitution of one variable in terms of it and many of my difficulties would 
have disappeared. 


4.4 Definition of Prf 

I defined the inductive type (Prf Gamma phi) to be the type of proofs of phi, from 
the list of assumptions Gamma. Originally (Prf Gamma phi) was a member of the 
Prop universe. It seemed natural to consider T h ip as a proposition, but it is impor¬ 
tant in this work to be able to distinguish between different proofs of the same 
statement. To get the ability to distinguish between different proofs requires that 
(Prf Gamma phi) be in Set. 

Inductive Prf : Formulas -> Formula -> Set := 

I AXM : forall A : Formula, Prf (A :: nil) A 
I MP : forall (Axml Axm2 : Formulas) (A B : Formula), 

Prf Axml (impH A B) -> Prf Axm2 A -> 

Prf (Axml ++ Axm2) B 

I GEN : forall (Axm : Formulas) (A : Formula) (v : nat), 

' In v (freeVarListFormula L Axm) -> Prf Axm A -> 

Prf Axm (forallH v A) 

I IMP1 : forall A B : Formula, Prf nil (impH A (impH B A)) 

I IMP2 : forall ABC: Formula, 

Prf nil (impH (impH A (impH B C)) 

(impH (impH A B) (impH AC))) 

I CP : forall A B : Formula, 

Prf nil (impH (impH (notH A) (notH B)) (impH BA)) 

I FA1 : forall (A : Formula) (v : nat) (t : Term), 

Prf nil (impH (forallH v A) (substituteFormula L A v t)) 

I FA2 : forall (A : Formula) (v : nat), 

' In v (freeVarFormula L A) -> 

Prf nil (impH A (forallH v A)) 

I FA3 : forall (A B : Formula) (v : nat), 

Prf nil 
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(impH (forallH v (impH A B)) 

(impH (forallH v A) (forallH v B))) 

I EQ1 : Prf nil (equal (var 0) (var 0)) 

I EQ2 : Prf nil (impH (equal (var 0) (var 1)) 

(equal (var 1) (var 0))) 

I EQ3 : Prf nil 

(impH (equal (var 0) (var 1)) 

(impH (equal (var 1) (var 2)) (equal (var 0) (var 2)))) 

I EQ4 : forall R : Relations L, Prf nil (AxmEq4 R) 

I EQ5 : forall f : Functions L, Prf nil (AxmEq5 f). 

AxmEq4 and AxmEq5 are recursive functions that generate the equality axioms for 
relations and functions. AxmEq4 R generates 

O!o = X! => ... =>- X 2n -2 = ®2n-l => (R(x 0 , X 2 , ...,X 2n - 2 ) O R{xi, X 3 , X 2 n -l)) 

and AxmEq5 f generates 

X 0 = XI => ... =>■ X 2n -2 = X 2n -1 => f(x 0,X 2 ,...,X 2n - 2 ) = f(x 1 ,X 3 ,...,X 2 n -l) 

I found that replacing ellipses from informal proofs with recursive functions was 
one of the most difficult tasks. This case was easy, but in general, the informal 
proof does not contain information on what inductive hypothesis should be used 
when reasoning about these recursive definitions. Figuring out the correct inductive 
hypotheses was not always easy. 


4.5 Definition of SysPrf 


There are some problems with the definition of Prf given. It requires the list of 
axioms to be in the correct order for the proof. For example, if we have Prf 
Gammal (impH phi psi) and Prf Gamma2 phi then we can conclude only Prf 
Gammal++Gamma2 psi. We cannot conclude Prf Gamma2++Gammal psi or any other 
permutation of the axioms. If an axiom is used more than once, it must appear in 
the list more than once. If an axiom is never used, it must not appear. Also, the 
number of axioms must be finite because they form a list. 

One possible solution would be to add permutation, weakening, and contraction 
rules for axioms to the inductive definition of Prf. However, this would further 
complicate the definition of Prf, which we would like to keep as simple as possible, 
and it would still not allow the number of axioms to be infinite. To solve this 
problem, I instead defined System to be Ensemble Formula and SysPrf T phi to 
be the proposition that the system T proves phi. 

Definition System := Ensemble Formula. 

Definition mem := Ensembles.In. 
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Definition SysPrf (T : System) (f : Formula) : Prop := 
exists Axm : Formulas, 

(exists prf : Prf Axm f, 

(forall g : Formula, In g Axm -> mem _ T g)). 

The type Ensemble A represents subsets of A by predicates of type A -> Prop. 
Recall that a : A is considered to be a member of T : Ensemble A if and only if 
the type T a is inhabited. I also defined mem to be Ensembles. In so that it does 
not conflict with List. In. 

The separation between the notions of Prf and SysPrf is useful. Each member of 
Prf is a finite value that can easily be encoded by a natural number (see Sec¬ 
tion 5.1), while SysPrf allows one to work with infinite axiom systems. 


4.6 The Deduction Theorem 

The deduction theorem states that ifT U {ip} b if) then T b ip => ip. In Coq its 
formal statement is: 

Theorem DeductionTheorem : 

forall (T : System) (f g : Formula) (prf : SysPrf (Add T g) f), 
SysPrf T (impH g f). 

There is a choice of whether the side condition for the V-generalization rule, 
"In v (freeVarListFormula L Axm), should be required or not. If this side con¬ 
dition is removed, then the deduction theorem requires a side condition on it. Usu¬ 
ally all the formulas in an axiom system are closed, so the side condition on the V- 
generalization is easy to show. I therefore decided to keep the side condition on the 
V-generalization rule. 

Originally my proof of the deduction theorem relied on an assumption that the lan¬ 
guage is decidable, meaning that the function and relation symbols form decidable 
types. 

• forall x y : Functions L, {x=y} + {x<>y> 

• forall x y : Relations L, {x=y> + {x<>y> 

The classical proof of the deduction theorem at one point considers whether ip £ F 
or ip <£ F for a finite list of axioms F. This disjunction is provable under the 
assumption that the language is decidable. Because most reasonable languages are 
decidable, this extra assumption was not much of a burden; however, I regularly 
used the deduction theorem to prove general logical validities. Each time I did this 
I knew that there must be a way of proving the theorem without resorting to the 
deduction theorem, and that these theorems did not require the assumption that 
the language be decidable. There was good reason for this: the deduction theorem 
does not require that the language be decidable. 
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To understand how to remove the assumption that the language is decidable, one 
needs to first see how it is used in the classical proof. The classical proof works by 
translating a deduction rul^lAFbV’ into a new deduction TDF'h^ =>• ip, 
where ADG\~0 means that 9 is proved using the finite set of axioms G, which are 
a subset of the system A. The key place excluded middle is used is when T U {p} D 
F b Var.f p by the GEN rule (forall generalization). In this case, x p FV(F), and 
F b ip. The classical proof considers two possible cases. In one case, ip £ F, and 
therefore x p ¥\{p). By induction we know that TDF'bip => ip. By using the 
fact that x p FV(^), plus some logical rules, one can conclude that F D F' h p =>- 
\/x. ip. In the other case ip p F, and thus T A F b Var .ip. Then it easily follows that 
rDFbi/j =>■ Var. ip. 

Notice the fact that ip p F is simply used to conclude that T D F. Therefore, it is 
sufficient to prove that p £ F V V D F instead of using excluded middle. This dis¬ 
junction is easy to prove from the assumption that T U {iy} 3 F by performing 
induction on F. The decidability of the language is not needed. 

This illustrates one technique for removing uses of the excluded middle. One can 
follow the two cases of the disjunction until one gets to two formulas whose dis¬ 
junction you can constructively prove. In some sense, my modified proof is simpler 
than before. The reasoning to get from p p F to V D F has been removed. On the 
other hand, the proof is more complicated because an additional argument is 
needed to prove p £ F V T A F. 

Although this technique sounds easy, I must confess that I only noticed it in retro¬ 
spect. I derived this new proof using my intuition that I ought to be able to use the 
constructive disjunction hidden inside the union operation to decide between these 
two cases and I kept fiddling until I got it. 


4.7 Substitution Lemmas 

After some development, it became clear that there were three key substitution 
lemmas to be proved: 

1. r b p[xi/s\ & p when Xi p FV(p) 

2. Tb p[xi/xj][xj/s] <£> p[xi/s] when xj p FV(<p)\{a:j} 

3. T\-p[xi/s\[xj/t]-& p[xj/t][xi/s\ wheni^j, aij^FV(t), and XjpFV(s) 

Ideally I would be able to prove the equality between the formulas; however, the 
formulas are not equal because applying the different substitution operations may 
cause bound variables to be renamed in different ways. The result is that the dif¬ 
ferent sides of the equation are only a-equivalent, meaning equivalent up to 
renaming of bound variables. I never defined an equivalence relation for a-equiva- 
lence, so I instead proved the logical equivalence of the formulas. In Coq these 
lemmas are stated as follows. 


Lemma subFormulaNil : 
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forall (f : Formula) (T : System) (v : nat) (s : Term), 

' In v (freeVarFormula L f) -> 

SysPrf T (iffH (substituteFormula L f v s) f). 

Lemma subFormulaTrans : 

forall (f : Formula) (T : System) (vl v2 : nat) (s : Term), 

In v2 (list_remove _ eq_nat_dec vl (freeVarFormula L f)) -> 

SysPrf T 

(iffH (substituteFormula L 

(substituteFormula L f vl (var v2)) v2 s) 

(substituteFormula L f vl s)). 

Lemma subFormulaExch : 

forall (f : Formula) (T : System) (vl v2 : nat) (si s2 : Term), 

vl <> v2 -> 

~ In v2 (freeVarTerm L si) -> 

~ In vl (freeVarTerm L s2) -> 

SysPrf T 

(iffH (substituteFormula L (substituteFormula L f vl si) v2 s2) 
(substituteFormula L (substituteFormula L f v2 s2) vl si)). 

These proofs were the first major challenge that I faced. These theorems are not 
discussed in Hodel’s textbook [Hodel, 1995], so it was necessary for me to develop 
the proofs myself. Naturally I proceeded by induction on the depth of the formula 
ip. The cases dealing with formulas of the form Vxj. \[) were the most difficult. 

For example, consider the case of trying to prove the equivalence of (Vcc^. ip)[xi/s\ 
and Vxj.ip when Xi £ FV(Vxj. ip). If i = j then the two formulas are identical, so 
that case is trivial. In the case that i =f=- j then there is a & different from i such that 
Xk FV(s) and such that (\/xj.ip)[xi/s] = V®*.. (#[* j/a*] [xi/s ) (it may be the case 
that k = j). To prove one direction of the implication, consider the following rea¬ 
soning inside first-order classical logic. Suppose that Vc Vk-{ip[x j / Xk)[xi/s]) holds. 
Then one can derive ip[xj/xk] [a*/s] [xk/xj]. By substitution lemma 3, one can 
derive ip[xj/xk][xk/xj][xi/s]. By substitution lemma 1, one can derive 
ij)[xj/xk][xk/xj\. By substitution lemma 2, one can derive ip[xj/xj] which is equal 
to ip. Then, using generalization, one can conclude V.x r ip as required. 

This segment of the inductive proof of substitution lemma 1 relied on substitution 
lemmas 2 and 3. Eventually I discovered that my proofs of substitution lemmas 2 
and 3 also relied on substitution lemmas 1, 2, and 3. This meant I had to prove all 
three substitution lemmas simultaneously by induction in one large lemma. 

Remark subFormulaNTE : 
forall (f : Formula) (T : System), 

(forall (v : nat) (s : Term), 

" In v (freeVarFormula L f) -> 

SysPrf T (iffH (substituteFormula L f v s) f)) /\ 

(forall (vl v2 : nat) (s : Term), 

In v2 (list_remove _ eq_nat_dec vl (freeVarFormula L f)) -> 
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SysPrf T 

(iffH (substituteFormula L 

(substituteFormula L f vl (var v2)) v2 s) 

(substituteFormula L f vl s))) /\ 

(forall (vl v2 : nat) (si s2 : Term), 
vl <> v2 -> 

In v2 (freeVarTerm L si) -> 

In vl (freeVarTerm L s2) -> 

SysPrf T 

(iffH (substituteFormula L (substituteFormula L f vl si) v2 s2) 
(substituteFormula L (substituteFormula L f v2 s2) vl si))). 

My proof of this lemma alone is about 1900 lines long. Admittedly, this was one of 
my early formal proofs, so it is not very well written. Nonetheless, even if I wrote it 
again today it would still be a substantial proof. These lemmas are not typically 
covered in logic courses or logic textbooks because typically the issue of bound vari¬ 
ables and renaming is not addressed. However, it is exactly the bookkeeping 
involved in renaming bound variables and making sure that the side conditions 
about variables being free in expressions are satisfied that makes proving this 
lemma so difficult. When creating formal proofs, it is not possible to omit proving 
theorems just because they do not appear to provide much insight. 

The difficulty of this proof strongly suggests that this is the wrong way to handle 
bound variables and substitution. These lemmas would probably be easier to prove, 
or may not even have been necessary if I had defined simultaneous substitution as 
the primitive substitution operation. 


4.8 Languages and Theories of Number Theory 


So far the theory of first order logic has been abstract over the language. To apply 
this theory I need some instances of languages. I created two languages. The first 
language, LNT, is the language of number theory and just has the function symbols 
Plus, Times, Succ, and Zero with appropriate arities. The second language, LNN, is 
the language of NN and has the same function symbols as LNT plus one relation 
symbol, LT, for less than. 

I defined two axiom systems NN and PA (Peano arithmetic) for the languages LNN 
and LNT respectively. NN and PA share six axioms: 

1. Vxo- -i Sx o = 0 

2. Vxo- Vcci. Sxo = Sxi =>■ *o = x\ 

3. Vxo- *o + 0 = xq 

4. Vjco-Vxi.jco + Sxi — S(xo + *1) 

5. V*o- *0X0 = 0 
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6. Vxo-Vici. cco x S'*! = (aio x ®i) + xo 
NN has three additional axioms about less than: 

1. Vcco- -ia:o < 0 

2. Vxo-Vxi.xo < Sxi =>■ (so = xi V xo < x\) 

3. Vxo- Vaii. xo < xi V xq = x\ V x\ < xo 

PA has an infinite number of induction axioms that follow one schema. 

• (schema) Vx^.... Vaq n . <p\xj/Q\ =>- Vxj.(ip =>■ tp[xj/Sxj]) =>■ Vxj.ip 

The Xjj, x ln are the free variables of Va Cj. ip. The quantifiers ensure that all the 
axioms of PA are closed. 

Because NN is in a different language than PA, a proof in NN is not a proof in PA. 
In order to reuse the work done in NN, I created a function called 
LNN2LNT_formula to convert formulas in LNN into formulas in LNT by replacing 
occurrences of to < fi with (3® 2 - + (Sx 2) = aJi)[®o/to) ®i/i.i]., where ip[xo/to, 

Xi/ti] is the simultaneous substitution of to for Xq and t\ for x\. I then proved that 
if NN b <p then PA b LNN2LNT_formula(y) by using the induction schema to prove 
the three axioms about < in NN. 



Chapter 5 

Representing Functions 


The key to proving the incompleteness theorem is to show that one can represent 
the provability predicate with a first-order formula. A common approach is to 
develop a primitive recursive function that can verify proofs and then prove that 
every primitive recursive function is representable by a first-order formula. Because 
primitive recursive functions can only operate on natural numbers, not formulas or 
proofs, it is necessary to select a way of encoding data structures as natural num¬ 
bers. 


5.1 Coding 

Godel’s original approach was to code a formula as a list of numbers and then code 
that list using properties from the prime decomposition theorem [Godel, 1931]. I 
avoided needing theorems about prime decomposition by instead following Hodel’s 
technique of using the Cantor pairing function [Hodel, 1995]. The Cantor pairing 
function, cPair, is a commonly used bijection between NxN and N. 


cPair(a, b) 


a + H s 


All my inductive structures were easy to recursively encode. I gave each con¬ 
structor a unique number and paired that number with the encoding of all its 
parameters. For example, I defined codeFormula as follows, where codeR is a 
coding of the relation symbols for the language: 

Fixpoint codeFormula (f : Formula) : nat := 
match f with 

I fol.equal tl t2 => cPair 0 (cPair (codeTerm tl) (codeTerm t2)) 

I fol.impH fl f2 => 

cPair 1 (cPair (codeFormula fl) (codeFormula f2)) 

I fol.notH fl => cPair 2 (codeFormula fl) 

I fol.forallH n fl => cPair 3 (cPair n (codeFormula fl)) 

I fol.atomic R ts => cPair (4+(codeR R)) (codeTerms _ ts) 
end. 

I created coding functions for all my data structures including lists, terms, for¬ 
mulas, and proofs. I proved each coding function was injective. 
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For each language, a function called nattoTerm : nat -> Term transforms a nat¬ 
ural number to the closed term representing it. In this thesis I will refer to this 
function as r . n , so r 0 n = 0, r l n = SO, etc. I will also use r ip~ l for r codeFormula ip" 1 
and r f n for r codeTerm V. 


5.2 Primitive Recursive Functions 

In this section, I use definitions for extensional equality of functions on the natural 
numbers. In particular I defined the following: 

• naryFunc is the type of n-ary functions. 

• naryRel is the type of n-ary relations. 

• extEqual is extensional equality of n-ary functions. 

• charFunction returns the n-ary characteristic function of an n-ary relation. 

I defined the type PrimRec n for primitive recursive expressions of arity n as: 

Inductive PrimRec : nat -> Set := 

I succFunc : PrimRec 1 
I zeroFunc : PrimRec 0 

I projFunc : forall n m : nat, m < n -> PrimRec n 
I composeFunc : 

forall (n m : nat) (g : PrimRecs n m) (h : PrimRec m), 

PrimRec n 
I primRecFunc : 

forall (n : nat) (g : PrimRec n) (h : PrimRec (S (S n))), 

PrimRec (S n) 

with PrimRecs : nat -> nat -> Set := 

I PRnil : forall n : nat, PrimRecs n 0 
I PRcons : forall n m : nat, 

PrimRec n -> PrimRecs n m -> PrimRecs n (S m). 

The type PrimRec contains expressions of primitive recursive functions, but are not 
themselves functions. I defined evalPrimRec : forall n : nat, PrimRec n -> 
naryFunc n to convert expressions into a functions. Rather than working directly 
with primitive recursive expressions, I worked with particular Coq functions and 
proved they were extensionally equal to the interpretation of some primitive recur¬ 
sive expressions. This relation is captured by isPR. 

Definition isPR (n : nat) (f : naryFunc n) : Set := 

{p : PrimRec n I extEqual n (evalPrimRec p) f}. 

Similarly, an n-ary relation is considered primitive recursive if its characteristic 
function is primitive recursive. 

Definition isPRrel (n : nat) (R : naryRel n) : Set := 
isPR n (charFunction n R). 





5.3 Creating Primitive Recursive Functions 


33 


5.3 Creating Primitive Recursive Functions 

I proved that many functions are primitive recursive, including plus, mult, pred, 
minus, max, and cPair. I also proved that many relations have characteristic func¬ 
tions that are primitive recursive, such as ltBool, leBool, and beq_nat (equality 
on the natural numbers). More importantly, I proved several theorems about cre¬ 
ating primitive recursive functions out of others. For example, if f is a 2-ary primi¬ 
tive recursive function, then fun a b c : nat => f a b is a 3-ary primitive recur¬ 
sive function. I also proved that course-of-values recursion is primitive recursive. 
Another very useful theorem states that a bounded search for the least number sat¬ 
isfying a primitive recursive predicate is primitive recursive. The bounded search is 
used, for instance, to compute the two projection functions of the Cantor pairing 
function. Given a code n for a pair of natural numbers, a function called searchXY 
finds the first c <n such that n < The first projection, cPairPil, returns 

n — *• The second projection, cPairPi2, returns c — cPairPil(n). 

I needed to show that many functions are primitive recursive, including operations 
on lists, computing free variables, checking if a formula is an instance of Peano 
arithmetic’s induction schema, and more. Of course these functions do not operate 
on natural numbers, so they themselves cannot be primitive recursive. Instead, I 
proved that the corresponding operations on the codes of these values are primitive 
recursive. 

It is easy to prove that certain Coq functions are extensionally equivalent to primi¬ 
tive recursive functions when one defines functions from a limited set of primitives. 
For example, the function codeApp, which given the code of two lists of natural 
numbers returns a code of the concatenation of the two lists, is defined as follows: 

Definition codeApp : nat -> nat -> nat := 
evalStrongRec 1 

(fun n Hrecs pi : nat => 
switchPR n 

(S (cPair (cPairPil (pred n)) 

(codeNth (n - S (cPairPi2 (pred n))) Hrecs))) pi). 

This unusual definition is built out of functions such as evalStrongRec, which does 
course-of-values recursion, and switchPR, which behaves like an if statement by 
returning one of the two last arguments depending on whether the first argument is 
zero or not. Because I proved that functions built from these kinds of pieces are 
primitive recursive, it was easy to prove that codeApp is primitive recursive. 


5.3.1 codeSubFormula is Primitive Recursive 

I proved that substitution is primitive recursive, meaning that I proved that the 
corresponding function operating on codes is primitive recursive. The function on 
codes is called codeSubFormula, and I proved it is correct in the following sense: 






34 


Representing Functions 


Lemma codeSubFormulaCorrect : 
forall (f : Formula) (v : nat) (s : Term), 
codeSubFormula (codeFormula f) v (codeTerm s) = 
codeFormula (substituteFormula L f v s). 

The proof that codeSubFormula is primitive recursive is very difficult. The problem 
is again with the need to rebind bound variables. Normally one would attempt to 
create this primitive recursive function by using course-of-values recursion. Course- 
of-values recursion requires all recursive calls to have a smaller code than the orig¬ 
inal call. Renaming a bound variable requires two recursive calls. Recall the defini¬ 
tion of substitution in this case: 

(Vxj. ip)[xi/s] := Vxfc. (ip[xj/xu\)[xi/s\ where k =f= i and Xk is not free in ip or s 

If one is lucky, one might be able to make the inner recursive call (the value of k 
could cause difficulties), but there is no reason to suspect that the input to the 
second recursive call, (p[Xj/xk\, is going to have a smaller code than the original 
input, Vxj. ip. 

If I had used the alternative definition of substitution, where all variables are sub¬ 
stituted simultaneously, there would still be problems. The input would include a 
list of variable and term pairs that represents the substitutions to be performed. In 
this case a new pair would be added to the list when making the recursive call, so 
the input to the recursive call could still have a larger code than the input to the 
original call. Perhaps if I had represented variables with de Bruijn indices, then it 
would have been easier to prove that substitution is primitive recursive. 

Hodel’s presentation avoids this difficult proof in two ways. Firstly, he gives only a 
cursory presentation of the algorithms needed, so no detailed proof that substitu¬ 
tion is primitive recursive is given. Secondly, his definition of substitution requires 
that the term substituting be substitutable into the context of the variable being 
replaced. This substitutability restriction means that bound variables need never 
be renamed. This would greatly simplify the proof that substitution is primitive 
recursive, if it were given. 

With my representation it seems that using course-of-values recursion is difficult or 
impossible. Instead, inspired by Shankar’s work [Shankar, 1994], I introduced the 
notion of a trace of computation. Shankar used a linear list to represent his compu¬ 
tation, but I used a tree structure. Think of the trace of computation as a finite 
tree where the nodes contain the input and output of each recursive call. The sub¬ 
trees of a node are the traces of the computation of the recursive calls. This tree 
can be coded as one number. I proved that there is a primitive recursive function 
called checkSubFormulaTrace that verifies if a number represents a trace of the 
computation of substitution. This function inspects each node of the tree to verify 
that each child node has the correct inputs based on the inputs of the current node, 
and it verifies that the output of the current node is correct based on the outputs 
of the child nodes. Codes for trees are strictly larger than codes for subtrees, so 
there is no problem using course-of-values recursion on the trace of the computa¬ 
tion. 
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Figure 5.1. Verifying the trace of the computation of substitution in the case of \/y. p. 

Figure 5.1 illustrates the verification of a node in the case of computing 
(VaJj. ip)[xi/t\ when xj € FV(t), which is the most difficult case. The figure illus¬ 
trates a node with two child nodes. The rest of the tree is omitted. The function 
checkSubFormulaTrace verifies that the input to the left child is correct by veri¬ 
fying that the variable x 3 is the quantified variable from the root input formula, 
that the formula <p is the body of the root input formula, and that the new variable 
x k is computed from the root input formula and the term t in the same way that 
substituteFormula computes it. The function checkSubFormulaTrace also veri¬ 
fies that the inputs to the right child are correct by verifying that the variable Xi 
and the term t are the same as the root input formula and that the formula is the 
same as the output formula from the left child. Finally, checkSubFormulaTrace 
verifies that the output formula of the root node is correct by verifying that it 
binds the variable x k and that the body is the same as the output formula of the 
right child. Course-of-values recursion verifies the correctness of the left and right 
subtrees. 

The key to proving that substitution ip[xj/s] is primitive recursive is to create a 
primitive recursive function that computes a bound on how large the code of the 
trace of computation can be for a given input. I constructed a primitive recursive 
function for which it is relatively easy to prove that it bounds the size of the code 
of the trace. This function computes the largest variable index occurring in the 
input, and adds 3 d where d is the depth of the formula ip. This is an upper bound 
on the largest variable index that could be created during the computation of sub¬ 
stitution. Let C be the max of the code of the variable with this index and the 
code for the term s. Let C' be the code of the formula ip with every variable 
(bound or not) replaced by the variable xc- Consider a full binary tree of depth d 
where each node contains three pseudo-input values of C, C, and C", and a pseudo¬ 
output value of C'. I proved that the code of this tree is larger than the code for 
the trace of the computation of substitution. I proved that computing the code of 
this large tree is primitive recursive. I created another primitive recursive function 
that searches for the trace of computation up to this bound. This is composed with 
another function that extracts the result of substitution from the trace of the com- 
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putation. Thus codeSubFormula is primitive recursive. I then proved that 
codeSubFormula is correct by proving that all of the above computation works (not 
an easy task). 


5.3.2 checkPrf is Primitive Recursive 

Given a code for a formula and a code for a proof, the function checkPrf returns 0 
if the proof does not prove the formula; otherwise, it returns one plus the code of 
the list of axioms used in the proof. I proved that this function is primitive recur¬ 
sive, as well as proving that it is correct in the following sense: for every proof p of 
F b ip, checkPrf ( r <p n , r p~') = 1 + r F n ; and for all n, nn : N if checkPrf (n, m) ^ 0 
then there exists ip, F, and some proof p of F b <p such that r ip~ l = n and r p~ l — m. 

The function checkPrf also ensures that all the formulas used in the proof are well 
formed, which means it checks to make sure that all of the function and relation 
symbols are part of the language. In principal this check is not needed, because any 
proof that uses extra symbols in intermediate steps can be transformed into a proof 
that does not use extra symbols; however it was easier to prove the correctness of 
checkPrf with this restriction. 


5.3.3 Efficiency of Primitive Recursive Functions 

As one may imagine, the above functions are quite slow at computing. In partic¬ 
ular, codeSubFormula is even slower than I have suggested above. Instead of com¬ 
puting the depth of ip, I use the code of <p directly, because it serves as a suitable 
upper bound on the depth of <p. These extremely slow functions are fine to use 
because all that is important is that there exists some primitive recursive function 
that could do the computation. The function never actually needs to be executed. 
All that is needed is the fact that these functions can be represented by some first 
order formula. 


5.4 Representing Primitive Recursive Functions 

Informally, an n-ary function / is representable in NN if there exists a formula <p 
such that 

1. the free variables of ip are among a?o, x n . 

2. for all oi,..., a n : N, NNh ip[x i/ r ai n , ...,x n / r a n ~ l \ O aio = r /(ai,..., a n ) n . 

I proved that every primitive recursive function is representable in NN, or rather 
that the interpretation of every primitive recursive expression is representable. It is 
easy to show that the projFuncs and the basic functions zeroFunc and succFunc 
are representable. Much more difficult is showing that the composition and primi¬ 
tive recursion of representable functions are representable. 
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Given formulas ipi that represent n-ary functions for 0 < i < m, and given a formula 
that represents an m -ary function, the composition can be represented by: 

Bx n+1 .... 3x n+m .ip[xi/x n+ i, ...,x m /x n+m ] A <po[xo/x n+ \\ A ... A y> m -i[xo/x n+rr i\ 

The difficulty in proving that the composition of m n -ary representable functions 
with one m-ary representable function is representable is proving that it works for 
all m and n. The proof presented by Hodel [Hodel, 1995] makes heavy use of 
ellipses and is more like a proof schema in terms of m and n. Of course, one cannot 
use ellipses in formal proofs. I felt I could prove the composition lemma for any 
particular m and n, but it was very difficult to create a proof that works for all m 
and n. The proof must proceed by induction on m and n; however, Hodel’s 
proof [Hodel, 1995] offers no indication of which variable to do induction on first, 
nor what inductive hypothesis to use. The key insight was to allow more flexibility 
in the choice of indices for the bound variables. I prove for all w > n that 

3x w+ \.... 3x w+m .xl)[x\/x w+ \, ...,x m /x w+m \ A ipo [xq/x w+ i] A... A cp m -i[xo/x w+m ] 

represents the composition. I proceed by induction first on n and then on m. Even 
with this knowledge, the proof is difficult because n and m are both variables of 
the dependent type of naryFunc. Reasoning about dependent types is quite diffi¬ 
cult, because Coq cannot automatically figure out how to generalize the dependent 
variables in the goal and context to make induction go through. It took some prac¬ 
tice before I was able to figure out how to do the correct generalizations myself. 
Arguably, Hodel’s proof indicates this flexible choice of indices for the bound vari¬ 
ables, because he uses the variables j/i,..., yk , which are not in his formal syntax for 
logic. Instead he says, “The letters x, y, and z are used to denote individual vari¬ 
ables.” [Hodel, 1995, p. 135] This means his notation is ambiguous. When he uses 
x n , is he referring to a formal variable for logic or is it a variable standing for a 
formal variable? It is exactly this sort of subtle ambiguity that makes translating 
paper proofs into formal proofs difficult. I do not believe Hodel is alone in making 
this ambiguity. I suspect most presentations of mathematical logic have such ambi¬ 
guities. 

Proving that the primitive recursion of representable functions is representable 
requires using Godel’s /3-function along with the Chinese remainder theorem. 
Godel’s /3-function is a function that codes array indexing. A finite list of numbers 
ao,..., a n is coded as a pair of numbers (x, y) and (3(x, y, i) = a*. The /3-function is 
special because it can be represented directly in terms of plus and times. The Chi¬ 
nese remainder theorem is used to prove that the /3-function works. 

Primitive recursion is represented by a formula that states the existence of a min¬ 
imal witness to the computation of primitive recursion. A witness is a pair of num¬ 
bers which represents a finite list of numbers representing the intermediate steps of 
the primitive recursion. The elements of this list are accessed using the representa¬ 
tion of Godel’s /3-function. It is important to use the minimum witness in order to 
prove that primitive recursion is representable. If the minimum is not used, it is 
not possible to prove that the formula represents a function that returns a unique 
value. 
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The representability of primitive recursion was one of the most difficult develop¬ 
ments of my proof. The formula representing primitive recursion is moderately 
complicated and uses many bound variables and substitution. Once again, using 
named variables made the work difficult. Throughout my proof, I needed to show 
side conditions about variables not occurring as free variables. With all the quanti¬ 
fiers used in this formula, proving the side conditions became quite a bit of work. 
To aid my work I wrote a tactic called PRsolveFV to automatically generate proofs 
of these side conditions. The proofs generated by PRsolveFV became quite large. 
During development of the proof, when I was using Coq 7.3, generating these 
proofs took several hours. Furthermore, all proof objects were stored in memory. 
The Coq process took up many hundreds of megabytes of memory, and would 
cause the operating system to thrash if there was not sufficient physical memory 
available. During the transition to Coq 8.0, the Coq development team modified 
my proof, inserting commands to temporarily make substituteFormula opaque. 
This prevents the substituteFormula function from being computed and greatly 
speeds up the matching process used by my tactics by bailing out of pattern 
matches earlier. The result is that generating the proofs no longer takes hours. Coq 
also no longer stores all loaded proof objects in memory. Now, on my modern 
laptop, it takes less than 90 seconds and uses less than 80 megabytes of memory to 
check the file containing this proof, PRrepresentable . v. 

Most of the side conditions about variables occur as a result of reasoning symboli¬ 
cally about substitutions in expressions with many quantifiers. Perhaps it would 
have been worthwhile to build a reflection tactic to compute the results of symbolic 
substitution. It is unclear how much work that would be compared to the time that 
would have been saved. It is certain that the resulting proof objects would be much 
smaller, and type-checking would be faster. Unfortunately I was not aware of this 
technique at the time. 

I took care to make the formulas representing the primitive recursive functions 
clearly Si by ensuring that all unbounded quantifiers were existential. For instance, 
I used existential quantifiers in the representation of the composition of functions 
when universal quantifiers would have also worked. Making the representation of 
primitive recursion clearly Si was more difficult. The minimum witness predicate 
says that P(x) A Vy < x.->P(y)- The predicate P(x') is used both in a negative and 
a positive context. To make the resulting formula Si, the first instance, P(x), 
needs to be Si and the second instance, P(y), needs to be IIi. Therefore, I made 
two instances of the predicate used for the minimum witness, primRecSigmaFormu- 
laHelp, and primRecPiFormulaHelp. I have not proven that the formulas are Si, 
because it is not needed for the first incompleteness theorem. Such a proof would 
be used for the second incompleteness theorem (see Section 7.6) and will be 
straightforward to prove given the work I have already done. 




Chapter 6 

The Incompleteness Theorem 


There are two different statements of the incompleteness theorem. The original 
statement that Godel proved in 1931 was that any axiom system of sufficient power 
that is ^-consistent is incomplete [Godel, 1931]. In 1936, Rosser strengthened this 
theorem so that only consistency was required [Rosser, 1936]. I proved both these 
theorems in Coq. I will only discuss Rosser’s version because it is the more general 
theorem. 


6.1 Statement of the Incompleteness Theorem 


The incompleteness theorem states that NN is essentially incomplete. This means 
that for every axiom system T such that 

• NN C T 

• T can represent its own axioms 

• T is a decidable set 

there exists a sentence p such that if T\- ip or T I— up then T is inconsistent. 

My statement applies only to proofs in LNN, the language of NN. This statement 
does not show the incompleteness of theories that extend the language. 

In Coq the theorem is stated as: 

Theorem Incompleteness 

: forall T : System, 

Included Formula NN T -> 

RepresentslnSelf T -> 

DecidableSet Formula T -> 
exists f : Formula, 

Sentence f /\ 

(SysPrf T f \/ SysPrf T (notH f) -> Inconsistent LNN T). 

A System is Inconsistent if it proves all formulas. 

Definition Inconsistent (T : System) := 
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forall f : Formula, SysPrf T f. 

A Sentence is a Formula without any free variables. 

Definition Sentence (f : Formula) := 

forall v : nat, " In v (freeVarFormula LNN f). 

A DecidableSet is an Ensemble such that every item either belongs to the 
Ensemble or does not belong to the Ensemble. This hypothesis is trivially true in 
classical logic, but in constructive logic I needed it to construct the inconsistency. 
Because this hypothesis is true classically, it does not claim that T is a computable 
set. Although a constructive proof of this hypothesis requires T to be computable, 
one cannot use this hypothesis to conclude that there exists a Turing machine that 
decides T. 

Definition DecidableSet (A : Type)(s : Ensemble A) := 
forall x : A, mem A s x \/ mem A s x. 

The RepresentsInSelf hypothesis restricts what a system T can be. The state¬ 
ment of essential incompleteness normally requires T to be a computable set. 
Instead I use the weaker hypothesis that the set T is expressible in the system T. 

Given a system T extending NN and another system U along with a formula ipu 
with at most one free variable Xi, I say ipu expresses the axiom system U in T if 
the following holds for all formulas ip: 

1. if ip e U then T b < J oc/[£Ci/ r '0 _l ] 

2. if ip£U then T I— ip u [xi/ r ip~'] 

I say U is expressible in T if there exists a formula ipu such that <pu expresses the 
axiom system U in T. 

In Coq I state that T is expressible in T as 

Definition RepresentsInSelf (T : System) := 
exists rep : Formula, exists v : nat, 

(forall x : nat. In x (freeVarFormula LNN rep) -> x = v) /\ 

(forall f : Formula, 

mem Formula T f -> 

SysPrf T (substituteFormula LNN rep v 

(natToTerm (codeFormula f)))) /\ 

(forall f : Formula, 

mem Formula T f -> 

SysPrf T (notH (substituteFormula LNN rep v 

(natToTerm (codeFormula f))))). 

This is weaker than requiring that T be a computable set, because any computable 
set of axioms T is expressible in NN. Since T is an extension of NN, any com¬ 
putable set of axioms T is expressible in T. 
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By using this weaker hypothesis, I avoid defining what a computable set is. Also, in 
this form the theorem could be used to prove that any complete and consistent 
theory of arithmetic cannot define its own axioms. In particular, this could be used 
to prove Tarski’s theorem that the truth predicate is not definable. 


6.2 The Fixed Point Theorem 

The fixed point theorem states that for every formula <p there is some formula ip 
such that 

NNhi/i ip[xi/ r ip^\ 

and that the free variables of ip are the free variables <p with cc,; removed. 

Lemma FixPointLNN : 
forall (A : Formula) (v : nat), 

{B : Formula I 
SysPrf NN 

(iffH B (substituteFormula LNN A v 

(natToTermLNN (codeFormula B)))) /\ 

(forall x : nat, 

In x (freeVarFormula LNN B) <-> 

In x (list_remove _ eq_nat_dec v (freeVarFormula LNN A)))}. 

The fixed point theorem allows one to create “self-referential sentences”. I used this 
to create Rosser’s sentence which states that for every code of a proof of itself, 
there is a smaller code of a proof of its negation. The proof of Rosser’s incomplete¬ 
ness theorem requires doing a bounded search for a proof, and this requires 
knowing what is and what is not a proof in the system. For this reason, I require 
the decidability of the axiom system. Without a decision procedure for the axiom 
system, I cannot constructively do the search. 


6.3 Provability Predicate 

Let T and U be axiom systems such that there is some formula <pu that expresses 
the axioms of U in T. This can be combined with checkPrf to create a formula 
called codeSysPrf such that codeSysPrf [xo/ r n~ [ , x\/ r m~'\ is provable in T if and 
only if m is the code of a proof in U of the formula coded by n. Another formula 
codeSysPf can be derived from codeSysPrf by adding an existential quantifier for 
Xi so that codeSysPf [,xo/ r u n ] is provable in T if there exists a proof in U of a for¬ 
mula coded by n. 

The formulas codeSysPrf, codeSysPf, etc. are not derived from primitive recursive 
functions so that the incompleteness theorem applies to axiom systems that may 
not have a primitive recursive characteristic function. 
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6.4 Essential Incompleteness of NN 

All the pieces are in place for proving the essential incompleteness of NN. Suppose 
T is a system extending NN that satisfies the requirements of the incompleteness 
theorem. The axioms of T can be expressed in itself, so there exists a formula 
codeSysPrf for checking proofs of T in T. The fixed point theorem is applied to 
Vxi. codeSysPrf =>• 3x2 ■ A codeSysPrf Not [x\/x 2 [ with the free variable xq 

to create Rosser’s sentence. The codeSysPrfNot formula is derived from the 
codeSysPrf formula such that codeSysPrfNot[a;o/ r u n , x\ / r m n ] is provable in T if 
and only if m is the code of a proof in U of the negation of the formula coded by n. 
Finally, I can prove that if T proves the Rosser sentence or if T proves the nega¬ 
tion of the Rosser sentence, then T is inconsistent. 

Hodel [Hodel, 1995] adds an extra axiom to NN, producing a system called NN+, in 
order to prove the Godel-Rosser incompleteness theorem: 

• XQ.^fX\. (^Xq — X\ V Xq < C. 2?l) —k Xq Sx\ 

Leo Harrington pointed out to me that this extra axiom is not necessary. Hodel 
uses this axiom in only one place, to prove (xq = r n~ l V xq < r rP) => xq < S r n~' 
for all n. However, it is possible to prove this in NN already. Thus I proved the 
essential incompleteness theorem for NN instead of NN + . 


6.5 Essential Incompleteness of Peano Arithmetic 

Peano arithmetic (PA) is not an extension of NN for two reasons. First, the induc¬ 
tion scheme of PA replaces some of the axioms of NN. Requiring that T include all 
the axioms of NN for the incompleteness theorem was a small error on my part. 
Instead I should have required that T prove all the axioms of NN. Fortunately this 
slightly stronger theorem should be an easy corollary of my existing statement of 
the incompleteness theorem. The second reason is that Peano arithmetic uses the 
language of number theory, which is in a different language than that of NN; the 
incompleteness theorem for NN only applies to systems with the language LNN. 

The language of number theory is a subset of the language of NN, so it is possible 
to inject formulas from the language of number theory into the language of NN. 
Let T' be the union of NN with the axioms of T injected into the language of NN. 
It is easy to prove that if T proves a formula <p, then T’ proves p', where p’ is the 
formula p injected into the language of NN. I also proved that if T' proves a for¬ 
mula ip, then T proves ip', where ip' is the formula ip translated back into the lan¬ 
guage of number theory according to the translation given in Section 4.8. The 
codeSysPrf function and associated lemmas had only been proven valid for exten¬ 
sions of NN. I used this translation mechanism back and forth between T and T' to 
allow me to reuse the theorems about codeSysPrf. With this I was able to take 
the proof of the Godel-Rosser theorem for NN and modify it to prove the essential 
incompleteness of Peano arithmetic. 
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The most obvious application of the essential incompleteness of Peano arithmetic is 
to apply it to PA itself. Peano arithmetic is a decidable theory that can represent 
its own axioms. It is trivially an extension of itself. I constructed a primitive recur¬ 
sive function to check if a number is the code of an instance of Peano arithmetic’s 
induction schema (see Section 4.8). It was then easy to create a primitive recursive 
function to check to see if a number codes an axiom of PA. Because all primitive 
recursive functions are representable, I could create a predicate that represents the 
axioms of PA in NN, and, by translation, in PA also. Finally, by Rosser’s incom¬ 
pleteness theorem, I proved that if PA is complete then it is inconsistent. However, 
it is possible to go further still. 


6.6 Model Theory 

Coq is sufficiently powerful to prove the consistency of Peano arithmetic. This 
allowed me to prove the incompleteness of Peano arithmetic—there (constructively) 
exists a sentence ip such that neither PAb <p nor PA I— up. 

Theorem PAIncomplete : 
exists f : Formula, 

Sentence f /\ '(SysPrf PA f \/ SysPrf PA (notH f)). 

I proved the consistency of Peano arithmetic by proving that the natural numbers 
form a model. A model is a structure that contains a type, along with interpreta¬ 
tions of the function and relations symbols. 

Record Model (L:Language) : Type := model 
{U : Set; 

func : forall f : Functions L, naryFunc U (arity L (inr _ f)); 
rel : forall r : Relations L, naryRel U (arity L (ini _ r))>. 

Formulas can be interpreted with respect to a model plus a valuation function that 
assigns values to free variables occurring in the formula. A system has a model if 
all the interpretations of all the formulas of the system hold. I proved that any 
system that has a model is consistent. 

One notable difficulty is that Coq’s logic is constructive while the internal logic is 
classical. Therefore, it is difficult to interpret the proofs of the internal logic as 
proofs in Coq. Instead of directly interpreting the formulas, I use a negative trans¬ 
lation of the formulas. In particular, I use Kuroda’s negative translation [Troelstra 
and Schwichtenberg, 1996, p. 42], This translation of a formula places two nega¬ 
tions inside each universal quantifier, and two negations outside the entire formula. 
For example, I interpret Va;o- Vaq. (Sa^o = Sx\ => xq = x\) as 

. .V;r:N.-.--Vy:N.-.-.(S(a) = S (y)^x = y). 

It was then easy for me to prove that the interpreted formula will always hold if 
the original formula is provable from a system that has a model. From this I 
proved that a system cannot both have a model and be inconsistent. 
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Lemma ModelConsistent 

: forall (L : Language) (M : Model L) (T : System L) 

(value : nat -> U L M), 

(forall f : Formula L, 
mem (Formula L) T f -> 

interpFormula L M value (nnTranslate L f)) -> 

Consistent L T. 

There is an alternative to the negative translation if the interpretation of all rela¬ 
tion symbols (including equality) are stable. Recall that a relation is stable if 
x n -1) =>■ R(x o, x n -1). In this case one can directly interpret proofs 

and formulas inside Coq. The only tricky point is proving that the contrapositive 
axiom, CP, holds for all formulas. With the assumption that atomic formulas are 
stable, one can prove CP holds for atomic formulas. One can then prove that it 
holds for all formulas by induction on the syntax of formulas. This is possible 
because the primitive connectives of my formulas are (V), (=>), and (-■). All these 
connectives have the same interpretation in constructive logic as they do in classical 
logic. Only the logical connectives (3) and (V) have different interpretations in con¬ 
structive logic. 

Equality over the natural numbers is provably stable in constructive mathematics, 
so this direct interpretation technique could have been used. However, I was 
unaware of this direct interpretation at the time I proved the ModelConsistent 
theorem. In the future, this direct interpretation could be implemented, allowing 
one to directly translate theorems from the inner logic into theorems in Coq. Cur¬ 
rently equality is always interpreted as Leibniz equality. Because Coq has no quo¬ 
tient types, in the future it would be better to allow equality to be interpreted as 
any equivalence relation, and require the function and relation interpretations to be 
well defined with respect to the equivalence relation. 



Chapter 7 
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7.1 Trusting the Proof 

If one accepts the correctness of the proof checker, Coq, then one only needs to 
verify that I correctly stated the incompleteness theorem. One needs to check the 
definitions of all the expressions used in the statement and verify that no axioms 
have been assumed. In fact, the proof depends on the Ensembles library which 
declares an axiom of extensionality for Ensembles, but one can verify that I never 
use this axiom. Fortunately, one does not need to check anything about coding or 
primitive recursive functions because these are not used in the statement of the 
incompleteness theorem. 


7.2 Creating a Constructive Proof 


Hodel did not constrain himself to giving a constructive presentation of the incom¬ 
pleteness theorem. However, creating a constructive proof from his presentation 
was not difficult. Godel even noted in his original paper that his argument was 
intuitionistically proven [Godel, 1931]. In my development, there were only two 
notable spots where using constructive logic was an issue. 

One spot was the proof of the deduction theorem (see Section 4.6) where I origi¬ 
nally used an assumption that language was decidable in order to prove p = ip V 
ip ip for any two formulas ip and ip. However, as I noted in that section, I was 
later able to modify this proof to remove even this innocent assumption. 

The second spot was in my proof that Peano arithmetic is consistent (see Sec¬ 
tion 6.6). Technically, this is not even part of the incompleteness theorem. The dif¬ 
ficulty was interpreting the classical deductions of Peano arithmetic in Coq’s con¬ 
structive metalogic. However, as I noted in that section, using a double negation 
interpretation works and allows one to conclude that Peano arithmetic is consistent 
from the fact that Coq’s natural numbers form a model of the axioms. 
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Even though my meta-system, Coq, is constructive, I still used classical logic for 
the internal system. I did this because no one expects a constructive system to be 
complete, so proving the incompleteness theorem for constructive systems did not 
seem worthwhile. 


7.3 Extracting the Sentence 

Because my proof is constructive, it is possible, in principle, to compute the sen¬ 
tence that makes Peano arithmetic incomplete. This was not done for two reasons. 
The first reason is that the existential statement lives in Coq’s Prop universe, and 
Coq only extracts from its Set universe. This was an error on my part. Fixing it to 
use Coq’s Set existential quantifier should be fairly easy. The second reason is that 
the sentence contains a closed term of the code of most of itself. This code is a 
large number and it is written in unary notation. This would likely make the sen¬ 
tence far too large to be actually printed. Perhaps there is some way of convincing 
Coq to compute the Godel sentence by writing the codes in standard decimal nota¬ 
tion. 


7.4 Robinson’s System Q 

The proof of essential incompleteness is usually carried out for Robinson’s system 
Q. I instead followed Hodel’s development [Hodel, 1995] and used NN. System Q is 
PA with the induction schema replaced with 

Va:o- 3cci. (xo = 0 V xo = Sxi). 

All of NN axioms are IR, whereas Q has the above IR axiom. Both axiom systems 
are finite. 

Neither system is strictly weaker than the other, so it would not be possible to use 
the essential incompleteness of one to get the essential incompleteness of the other; 
however, both NN and Q are sufficiently powerful to prove a small number of 
needed lemmas, and afterward only these lemmas are used. If one abstracts my 
proof at these lemmas, it would then be easy to prove the essential incompleteness 
of both Q and NN. 


7.5 Comparisons with Shankar’s 1986 Proof 

It is worth comparing this formalization of the incompleteness theorem with 
Shankar’s 1986 proof in the Boyer-Moore theorem prover. The development of my 
proof is similar to Shankar’s development. The time frame is even similar; Shankar 
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spent eighteen months developing his proof, and I spent sixteen months 
(2002-03/2003-06-13) developing mine. It is unclear what this similar development 
time indicates. Perhaps the development has some intrinsic difficulty that proof 
systems have not removed in the last fifteen years. A fast computer does not help 
me much because the computer spends most of its time idle as I create my proof. 
On the other hand, perhaps there has been some improvement. I do not know how 
much experience Shankar had with the Boyer-Moore proof system, but this was my 
first major proof in a proof system. I only started using Coq a few months prior, 
and the most significant work I had previously done was to prove there are not a 
finite number of primes. I managed to do a more difficult version of the incomplete¬ 
ness theorem in more generality in a shorter period of time. 

The most notable difference is between the proof systems. In Coq, the user is 
expected to input the proof, in the form of a proof script, and Coq will check the 
correctness of the proof. In the Boyer-Moore theorem prover, the user states a 
series of lemmas and the system generates the proofs. However, using the Boyer- 
Moore proof system requires feeding it a “well-chosen sequence of 
lemmas” [Shankar, 1994, p. xii]. Still, it seems the information being fed into the 
two systems is similar. 

There are some notable semantic differences between Shankar’s statement of incom¬ 
pleteness and mine. His theorem only states that finite extensions of Z2, heredi¬ 
tarily finite set theory, are incomplete, whereas my theorem states that even 
infinite extensions of NN are incomplete as long as they are self-representable. 
Also, Shankar’s internal logic allows axioms to define new relation or function sym¬ 
bols as long as they come with the required proofs of admissibility. Such extensions 
are conservative over Z2, but no computer verified proof of this fact is given. My 
internal logic does not allow new symbols. Finally, I prove the essential incomplete¬ 
ness of NN. NN is a weaker system than Z2, and uses the language of arithmetic. 
Without any set structures, the proof is somewhat more difficult and requires using 
Godel’s /3-function. 

One of Shankar’s goals when creating his proof was to use a proof system without 
modifications. Unfortunately he was not able to meet that goal; he ended up 
making some improvements to the Boyer-Moore theorem prover. My proof was 
developed in Coq without any modifications. 


7.6 Godel’s Second Incompleteness Theorem 

The second incompleteness theorem states that if T is a system extending PA (or a 
somewhat weaker system) such that T satisfies the requirements of the first incom¬ 
pleteness theorem and T h Con-r, then T is inconsistent. The formula Conr is some 
reasonable sentence stating the consistency of T, such as —Prov-rU - '(V ccq. 
a?o = Xo) n ), where Prov^ is the provability predicate codeSysPf for T. 




Remarks 


If I had created a formal proof in Peano arithmetic of Godel’s incompleteness the¬ 
orem, I would have bpA “Godel’s first incompleteness theorem”. This formal proof 
could then be mechanically transformed to create another formal proof in PA that 
h pa (PA b “Godel’s first incompleteness theorem”). The second incompleteness the¬ 
orem follows from this by a short argument. Unfortunately, I have only shown that 
bCoq “Godel’s first incompleteness theorem”, so I cannot use the above argument to 
create a proof of the second incompleteness theorem. 

Still, this work can be used as a basis for formalizing the second incompleteness 
theorem. The approach would be to prove the Hilbert-Bernays-Lob derivability 
conditions: 

1. if Tb ip then T b Prov/C p ^ 

2. TV- Prov T ( r ¥> n ) =>■ ProV'r( r ProV'r( r <p n )~ l ) 

3. TV- Prov r ( r <£> =>- ip n ) Prov-rC"^” 1 ) =>- ProvT( r ^> n ) 

The second incompleteness theorem follows easily from Godel’s first incompleteness 
theorem and these three conditions [Shoenfield, 1967]. I proved the second incom¬ 
pleteness theorem in Coq from the assumption that codeSysPf satisfies these three 
conditions. The first condition is basically the same as one of the correctness condi¬ 
tions for codeSysPf used in the first incompleteness theorem, so it was easy to 
prove. All that remains is to prove the last two conditions. 

The second condition will be the most difficult to prove. It is usually proved by 
first proving that for every Si sentence ip, PA b p => ProvpA( r </C). Because I made 
sure that all primitive recursive functions are representable by a Si formula, the 
second derivability condition would be a direct corollary. 


7.7 Proof Development 

I did a lot of cut and paste work when developing my proof. In Coq it is hard to 
reuse part of an existing proof because there are no tools for helping one to 
abstract part of a proof. For example, when doing two branches of a case analysis, 
one may find oneself doing the exact same proof (or similar proofs) in each case. 
However, it is difficult to abstract out this proof by hand because it means writing 
out the full statement of the lemma and generalizing the terms. It is so much easier 
to just cut and paste the proof script and fix the names of the hypothesis. This 
same problem is faced by programmers in many programming languages. 

When developing a formal proof in Coq, I did a lot of moving back and forth over 
the proof script. Often one wants to back up to adjust the inductive hypothesis, or 
assert a lemma. Because some tactics automatically generate hypothesis names 
based on the context, the hypothesis may sometimes get new names when moving 
back and forth. This means that any reference one has to the old hypothesis names 
are no longer valid and need to be changed, which creates a lot of work. A strong 
discipline of avoiding automatically generated names by naming hypotheses oneself 
can alleviate this problem. 



7.8 Statistics 


My formal proof follows a typical modern presentation of the incompleteness the¬ 
orem. I used a Hilbert-style deduction system for classical logic. I used named vari¬ 
ables for both free and bound variables in formulas. I defined substitution as sub¬ 
stitution of one variable. I used primitive recursive functions to program checkPrf. 
The only unusual step I took in my proof was to follow Hodel’s idea of using the 
Cantor pairing function to encode data structures as numbers, rather than using 
Godel’s encoding that requires the fundamental theorem of arithmetic. Looking 
back I feel that all these choices were bad choices (except the idea of using the 
Cantor pairing function). If I were to do this project again I would use a sequent 
calculus or perhaps a natural deduction system to get a constructive logic. I would 
use some other way of dealing with variable binding. I am inclined to try a novel 
approach such as using the nested datatype representation [Bird and Meertens, 
1998][Hirschowitz and Maggesi, 2006] (with simultaneous substitution), or perhaps 
I would use a nominal approach to binding [Pitts, 2006]. I would consider using 
partial recursive functions instead of primitive recursive functions. These functions 
can be interpreted in Coq by functions that return a coinductive container of the 
result type [Capretta, 2005]. As a beginner at Coq, I could not have been expected 
to know all these alternatives before I started, and, in fact, many of these tech¬ 
niques have developed since I completed my proof. 

I have shown that one can, with enough effort, create formal proofs that follow 
standard mathematical arguments. However, following a standard mathematical 
argument seems to be a poor way to create formal proofs. Instead it is probably 
better to innovate new approaches so that the proof becomes easier to formalize 
and/or the theorem becomes more general. For example, dealing with bound and 
free variables is typically considered a solved problem by logicians; however, it is 
currently an active field of research for formal mathematics and computer sci¬ 
ence [Aydemir et al., 2005]. I suspect that when mathematicians omit tedious 
proofs (such as results about variables and substitution) it is a sign that they are 
taking the wrong approach to a problem, or perhaps using the wrong structures. 


7.8 Statistics 

My proof [O’Connor, 2005c], excluding standard libraries and the library for Pock- 
lington’s criterion [Caprotti and Oostdijk, 2001], consists of 50 source files, 7 223 
lines of specifications, 38 469 lines of proof, and 1 288 796 total characters. The 
size of the gzipped tarball (gzip -9) of all the source files is 149 698 bytes, which 
is an estimate of the information content of my proof. 




Part II 

Exact Real Arithmetic 




Chapter 8 
Introduction 


Several mathematical theorems rely on numerical computation of real number 
values in their proofs. One example is the disproof of the Mertens conjec¬ 
ture [Odlyzko and teRiele, 1985]. The Mertens conjecture, which implies the Rie- 
mann hypothesis, claims that the partial sums of the Mobius function are bounded 
in absolute value by the square root function. Odlyzko and te Riele disproved the 
Mertens conjecture. Their disproof involves computing the first hundred decimal 
digits of the first two thousand zeros of the Riemann zeta function. 

Another example is Hales’s famous proof of the Kepler conjecture [Hales, 2002]. 
This proof involves verifying thousands of nonlinear inequalities over the real num¬ 
bers. These inequalities were verified by special purpose software. Unfortunately, 
the peer review process has failed to fully accept the proof as correct. After four 
years, the twelve referees could only claim to be 99% certain of the correctness of 
the proof [Hales, 2006]. In response, Hales has started the Flyspeck project [Hales, 
2006], a project to create a computer-verified proof of the Kepler conjecture. A full 
computer-verified proof will verify both the mathematical and computational parts 
of the proof together. 

Many other proofs rely on real number computation. All of these proofs require a 
verified implementation of real number arithmetic before these proofs can be veri¬ 
fied by a computer. By verified implementation, I mean a software verified library 
of continuous functions on R where computations can be performed to arbitrary 
precision. One such library has been created by Cruz-Filipe as a product of his 
software verified constructive proof of the fundamental theorem of calculus [Cruz- 
Filipe, 2003]. Because Cruz-Filipe’s proof is constructive, the functions in his 
library can be evaluated. However, this construction was not designed with execu¬ 
tion in mind, so unfortunately, evaluation is not practical [Cruz-Filipe and Spitters, 
2003]. Therefore, if one wants to handle the problems encountered in the aforemen¬ 
tioned mathematical proofs, a new library is needed. 

This part develops a new constructive implementation of real numbers via a new 
characterization of metric spaces (Chapter 9). A generic method of completing 
metric spaces is developed and satisfies the properties of a monad (Chapter 10). 
This generic monadic interface is simple and elegant to use, and at the same time 
practical enough to run the computations needed for proofs. This work contributes 
not only to the Flyspeck project, but to any project requiring a verified library of 
functions for exact real arithmetic. 
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Three different complete metric spaces are developed: 

• Chapter 11 develops the real numbers as the completion of the rational num¬ 
bers. This chapter is based on my publication, “Certified Exact Transcen¬ 
dental Real Number Computation in Coq” [O’Connor, 2008a]. 

• Chapter 12 develops integrable functions as the completion of rational step 
functions. This chapter is based on a paper by Bas Spitters and myself enti¬ 
tled, “A computer verified, monadic, functional implementation of the inte¬ 
gral” [O’Connor and Spitters, 2009]. 

• Chapter 13 develops compact sets as the completion of finite sets. This 
chapter is based on my publication, “A Computer Verified Theory of Com¬ 
pact Sets” [O’Connor, 2008b]. 

The purpose of this work is to formally verify the proofs presented in this part 
using a proof assistant. To this end, I have included many theorems with detailed 
proofs in order to help ease the formalization process. Those readers who are only 
interested in the data structures and operations may wish to skip over the details of 
the proofs. All of the theorems in this part have been verified by the Coq proof 
assistant except where otherwise noted. 


8.1 Notation 


The strictly positive rationals are denoted by Q + , while the non-negative rationals 
are denoted by Q 0+ . The strictly positive rationals with positive infinity are 
denoted by Q+. Similar notation is used for reals and natural numbers. The injec¬ 
tion (Q+ => and some other similar injections will be omitted and their use 
will be implicit. 

I use the notation f( n \x) to express the operation / iterated n-times, while f n (x) 
means (f(x)) n . However, I will follow tradition and use / -1 to indicate the inverse 
function of /, despite the fact that f ( r> would actually be more appropriate. 

_L b 

I will sometimes use the notation a for min (a, b ) and a for max (a, 6), particu- 

J b _ j_c 

larly when the primary focus is on the a expression. I will use the notation a for 
min (max (a, b), c). In order to avoid confusion, this “clamp” notation will only be 
used in contexts where b < c since min (max (a, 6), c) = max (min (a, c), b) in this 
case. 


The notation [a] and |_aj is used to denote ceiling(a) and floor(o) respectively. The 
notation [a] is used to denote round(a) which rounds a to the nearest integer. I do 
not state which integer i is rounded to; the proofs only rely on the fact that |_a] is 
an integer such that |a — |_a~] | < i. 

Generally speaking, I will use different styles of variables for different types in 
accordance with the following table. 




8.2 Rational Numbers 
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Variables 

Types 

a, b, c 

rational numbers or points in an incomplete metric space 

n, m 

natural numbers 

x,y,z 

real numbers or points in a complete metric space 

f,9,h 

functions or function-like values 

X,Y, Z 

types and type-like values, especially for metric spaces 

e, S, 7 

values of type Q+ or Q+ 

M,B,C,... 

predicates or other set-like values 

a, 

type constructors, especially for functors and monads 


Table 8.1. A guide to variable name usage 


However, I may violate this convention when necessary for clarity. 


8.2 Rational Numbers 


The rational numbers <Q form the foundation for my metric space development. 
They play a particularly crucial role in my development of the real numbers (see 
Chapter 11). It is worth taking a detailed look at how they can be represented. 

There are two obvious ways to represent Q. The first way to define Q is as a setoid 
on Z x N+ where 


(n i, di) >cq (ri2, do) := n\ d^ =z U2 d\. 

The pair (n, d) represents the rational number h. The second way to define Q is as 
a dependent pair 3 p: 7L x N+. coprime(7ri(p), 7r2(p)). In this case, one can use regular 
equality because coprime is a classical predicate, meaning that coprime(x, y) has at 
most one proof (see Section 2.2.10). In either case, a binary representation for 7L 
and N is used to allow for efficient arithmetic operations. 

There are other ways of representing Q. Most notably, Q can be defined using a 
continued fractions representation [Niqui, 2004]. Using this representation, there is 
no need to use a setoid relation nor is there a need to select canonical elements 
using a dependent pair. However, there are some efficiency issues with the con¬ 
tinued fraction representation, so I did not choose to use it for my work. 

The Coq standard library represents Q using the setoid representation. The 
problem with the dependent pair representation is that every operation must 
reduce the numerator and denominator to lowest terms before returning it. This 
reduction is effectively a GCD computation, and doing it after every operation can 
become expensive. However, never reducing the numerator and denominator can 
eventually lead to computations involving very large integers, which slows down 
evaluation. The standard library does not do any reduction after any of the stan¬ 
dard operations. The library instead proves a function Qred that the user can call 
to reduce the pair to lowest terms. This leaves it to the user to decide when to 
reduce and when not to reduce. 
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Introduction 


I made very little use of Qred in my implementation. In Section 11.5.1, I define a 
compress function that reduces the size of numerators and denominators used 
during real number computation, thus avoiding running a GCD computation. How¬ 
ever, I do not apply the compress function after my operations. Similar to the Coq 
standard library, I leave it up to the user to decide when to call compress to do the 
reduction. 

I found that representing Q+ as a setoid on N + x N + worked better than repre¬ 
senting it as the dependent pair 3 q: Q.O < q. I defined an implicit injection i: 
Q+ =4. (Q, which makes it easy to use positive rationals in contexts requiring a 
rational number. 

I will keep the representation of Q and Q + abstract for the discussion within this 
thesis. I will use the equals symbol on rational numbers ( =<q ) with the under¬ 
standing that one might use a setoid equality for one’s representation instead. 

I believe my work could be redeveloped using dyadic rational numbers (rational 
number whose denominator is a power of 2) instead of <Q. This might be more effi¬ 
cient at the cost of making the reciprocal operation (Section 11.3) and some other 
operations more complicated to define. 


8.3 Regular Functions of Rationals 

Abstractly, real numbers can be defined as any complete, Archimedean, ordered 
field; however, in order to show that such a structure exists, it is necessary to pro¬ 
duce a model of the real numbers. One common model of the constructive real 
numbers consists of equivalence classes of Cauchy sequences of rational numbers 
with a constructive modulus of convergence [Geuvers and Niqui, 2002]. 

Bishop and Bridges [Bishop and Bridges, 1985] define the real numbers to be reg¬ 
ular sequences of rational numbers with an equivalence relation. 


Definition 8.1. A sequence x n is regular if 

Vmn: N+. \x m — x n \ < — + —. 

m n 


Two regular sequences x and y are equivalent (x x y) if 
Vn: N+. \x n — y n \<^- 

Under this equivalence relation, regular sequences are isomorphic to Cauchy 
sequences. Every regular sequence is a Cauchy sequence, and every Cauchy 
sequence can be transformed into a regular sequence by using its modulus of con¬ 
vergence to select a suitable subsequence. 



8.3 Regular Functions of Rationals 
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One can think of a regular sequence as a function that approximates a real number 
by taking a positive number n to a rational number x n that is within — of the real 
number the sequence represents. Instead of using such coarse-grained approxima¬ 
tions, one can generalize the concept of regular sequences to regular functions. 

Definition 8.2. A function x: Q + => Q is regular if 

Vsie 2 .\x(ei) -x(e 2 )\<e 1 +e 2 , 


and two regular functions x and y are equivalent if 
Ve. \x(s) — y(s)\ <2e. 

Regular functions are isomorphic to regular sequences. Any regular function can be 
transformed into the regular sequence An: N+.x^ and any regular sequence can 
be transformed into a regular function that maps e to some x n such that ^ < e. 

One can think of a regular function as a function that approximates a real number 
by taking a positive rational number e to a rational number that is within e of the 
real number the function represents. Regular functions allow more fine-grained 
approximations than regular sequences allow. This fine control can prevent unnec¬ 
essary over-approximation when doing calculations. 

Regular functions, like regular sequences, can be used not only to construct the 
reals, but to complete any metric space. 




Chapter 9 
Metric Spaces 


A traditional definition of a metric space is a set X with a distance function d: 
X => X => IR^j" satisfying certain properties [Burago et al., 2001]; however, the pur¬ 
pose of this part is to define IR as the completion of a metric space. This task 
requires a definition of metric space that does not presuppose the existence of R. 
Given a traditional metric space, one can define a distance relation B x (a, b) := 
d(a, b) < e where £: <Q + . This distance relation does not depend on R, but it still 
completely characterizes the metric space. 


Definition 9.1. Given a tuple (A, x , B x ), where x is an equivalence relation on 
X and B x : Q+ =>A=>A=>*isa relation respecting the equivalence relation on 
X, meaning that 


a 0 X => b 0 x &1 => ( B x (a 0 , b 0 ) <^> B x (a\, b \)), 

we call ( X, x , B x ) a metric space if the following properties hold: 

1. Vo£. B x (a,a) 

2. \/ab£.B x (a,b)^B x (b,a) 

3. Vabc£iE2-B x 1 (a,b)=> B x 2 (b,c)=> B x 1+£2 (a,c) (triangle law) 

4. Mabe. (V<5. B x +S (a, b)) => B x (a, b) 

5. Mab. (Vs. B x (a, 6)) => a x 6 

I use the symbol B for the distance relation because if B x (a) is considered as a 
predicate, then the set of points satisfying B x (a) are exactly the points that are 
within £ of a. Therefore, B x (a) can be understood as a ball of radius £ around a. 

Axioms 1 and 2 state that the distance relationship is reflexive and symmetric. 
Axiom 3 is a form of the triangle inequality. Axiom 4 states that B x (a) is a closed 
ball. I use closed balls because they are usually classical propositions, so they can 
be ignored during evaluation (see Section 2.3.2). For some metric spaces, such as 
the real numbers, open balls are defined with existential quantifiers, and their use 
would lead to unnecessary computation under strict evaluation [Cruz-Filipe and 
Spitters, 2003], which is the evaluation strategy used by Coq’s vm_compute com¬ 
mand (see Section 11.7). Axiom 5 states the identity of indiscernibles. 




Metric Spaces 


Given this definition of a metric space, the traditional metric can be recovered 
(classically) by defining d(a, b) := inf |c | B x (a, 6)}—the infimum of the empty set 
is taken to be oo. One can easily show that my definition of a metric space is clas¬ 
sically equivalent to the traditional definition. 

My definition of a metric space is more general than the definition given by Bishop 
and Bridges [Bishop and Bridges, 1985]. Their definition requires that the distance 
between any two points can be computed to any given precision. Given my defini¬ 
tion of a metric space, such a computation may not be possible. For example, if X 
is a metric space, then the space of functions E => X can be given a metric where 
g) := Va. B x (f(a), g(a)) (see Section 10.2). In general, the distance 
between two functions is uncomputable under this metric, and Bishop and Bridges 
would not consider this a metric space. 

Notation 9.2. Sometimes an extended distance relation B x : => X => X => * 

will be used where B^{a, b) := T and for e: Q + , B x (a, b) := B x (a, b). 

It is useful to note that if two points are within e\ of each other, then they are also 
within £2 of each other whenever e\ < £2. 

Theorem 9.3. For any £1 and £2 such that £1 < £2, if B x (a, b) holds then B x 2 (a, 
b) holds. 

Proof. B x 2 _ £l (b, b) holds by reflexivity. Therefore, B x 2 (a, b) holds by the 
triangle law. □ 


9.1 Uniform Continuity 

Definition 9.4. Given two metric spaces (X, x , B x ) and ( Y. x, £?' ), a function 
f:X=>Y is uniformly continuous with modulus g: (Q + => if 

yabe.B x {£) (a,b)=>BY(f(a),f(b)). 


A function f: X =$>Y is uniformly continuous if there is some g such that / is uni¬ 
formly continuous with modulus g. 

Notation 9.5. When a function f is uniformly continuous, I will write f: X —> Y 
using a single-bar arrow. This indicates that f is not just a function, but it is a 
dependent tuple 


3(/, P ): (*=► Y) x (Q+ =► Q+ ).Mabe. B x (s) (a, b) * BY(f(a), f(b)) 
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consisting of a function, its modulus of continuity, and a proof that it is uniformly 
continuous. 


This structure is a morphism in the category of metric spaces with uniformly con¬ 
tinuous functions between them. When f:X—>Y, I will leave the projections 
implicit and write f{x) instead of iri(-iri(f))(x). (The coercion mechanism in 
Coq [The Coq Development Team, 2004] allows the projection function to be 
inferred in the same way in the formal proofs.) 

This definition of uniform continuity is the same as the usual definition except that 
the relation between e and S is instead explicitly given by jif. 


Notation 9.6. Sometimes an extended function p: Q+, => Q+, will be used where 
p(oo) := oo and for e: Q + , p{e) := p{e). 


Theorem 9.7. The identity function I is uniformly continuous with modulus I, 
and if f: X —>Y and g:Y —> Z are both uniformly continuous, then the composition 
go f: X —> Z is uniformly continuous with modulus (Tf o p g . 


Proof. Easy. 


□ 


9.2 Prelength Spaces 


In a metric space, just because two points a and b are within l of each other does 
not mean that there exist curves of length approaching l that connect these points. 
A metric space that has such curves is known as a length space [Burago et al., 
2001]. Since the notion of curves presupposes the real numbers, I introduce the 
weaker notion of a prelength space. 


Definition 9.8. A prelength space is a metric space such that 


VabeS\S2-e < Si + 62=$- Bp (a, b) =>■ 3c. B£(a, c) A Bf 2 (c, b). 


This property implies that if two points a and b are within l of each other, then 
there is a path of points connecting a to b with consecutive points within S of each 
other whose total length is less than l + s. 


Theorem 9.9. In a prelength space, for any a, b, e, So, ...,S n -1 such that B£(a,b) 
holds and e < $o + ■■■ + S n - 1, there exist co, ..., c n such that Co = a, c n = b, and 
Vi <n. Bf.{ci, Cj+i) holds. 
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Metric Spaces 


Prelength spaces are quite common. For example, all normed vector spaces are pre¬ 
length spaces. All the metric spaces considered in this thesis are prelength spaces. 
A prelength space is also known as a metric space with approximate midpoints. 


Theorem 9.10. (<Q, = , Bis a prelength space where B^(a, b) := \a — b\ <e. 


9.3 Classification of Metric Spaces 

There is a hierarchy of classes that metrics can belong to. The strongest class of 
metrics is the decidable metrics. 

Definition 9.11. A decidable metric is a distance relation B x such that 
Vabe. B x (a : b)V >B x (a.b). 


The constructive disjunction here means that a constructive proof contains an algo¬ 
rithm for computing whether two points are within e of each other or not. The 
metric on (Q has this property; however, this disjunction cannot be constructed for 
the metric on R. 

The next strongest class of metrics is what I call the located metrics. 

Definition 9.12. A located metric is a distance relation B x such that 
Mabed. 8 <e=> B x (a, b) V -.Bf (a, b). 

This is similar to being decidable, but there is a little extra wiggle room. If a and b 
are between 8 and e far apart, then the algorithm has the option of returning either 
a proof of B x (a, b) or -■ B x (a, b). This extra flexibility will allow us to prove that 
R is a located metric. For some metrics even this disjunction cannot be con¬ 
structed. In general, the located metric property cannot be constructed for the 
standard sup-metric on functions between metric spaces (see Section 10.2). 

Theorem 9.13. Every decidable metric is also a located metric. 

Proof. This follows from Theorem 9.3. □ 

The weakest class of metrics in this hierarchy is the stable metrics. 

Definition 9.14. A stable metric is a distance relation B x such that 


Vabe.-i-iB x (a, b) => B x (a, b). 



9.4 Completion 


Metric Space 


Theorem 9.15. Every located metric is a stable metric. 


Proof. Suppose that B x is a located metric. Assume that —<—<B x (a, b) holds. Let 
5 be arbitrary. Because B x is a located metric, either B x + $(a, b) holds, or -■ B x (a, 
b) holds. However, it is impossible that ~^B x (a, b) holds by our assumption. So 
B x +S (a,b) holds. Since S was arbitrary, B x (a,b) holds as required. □ 

Note that when X has a stable metric, the equivalence relation between points 
(a x b ) is stable, meaning that \/ab.->->(a >c b) => a >c b. This follows from the fact 
that a^b-&'i£.B x (a,b). 

Although we will discuss the possibility of metrics that are not constructively stable 
in Section 13.5, it appears that metric spaces used in practice are stable. The only 
place I require that a metric be stable is in Chapter 13, so, for the sake of gener¬ 
ality, I will not assume that my metric spaces are stable in other chapters. Despite 
this generality, I believe one should consider making stability an additional axiom 
of metric spaces. 


9.4 Completion of a Metric Space 

One can define regular functions over any metric space X by using the distance 
relation. 

Definition 9.16. A function x: Q+=> X is regular if 

Ve i £ 2 : <Q + .B x +£2 ( x(si),x(e2)). 

Two regular functions x and y are equivalent (x x y) if 

V£ 1 e 2 :<£l + .B x +£2 (x(£ 1 ),y(£ 2 )). 

Notice how this definition of equivalence means that x: => X is a regular func¬ 

tion if and only if x x x. 

Call the type of regular functions over X the completion of X or £(X). 

Definition 9.17. <£(X) := 3x: Q+ => A.Vei e 2 : Q + . B x +e2 (x(£!), x(e 2 )). 

Define the distance relation on £(A) as follows. 

Definition 9.18. Bf (X \x, y) :=VS 1 S 2 : Q + . Bf 1+e+g2 (x(S!), y(S 2 )). 




Metric Spaces 


Theorem 9.19. The distance relation B^ x ^ respects the equivalence relation on 
€{X). 

Proof. Given xo, x\, yo, yv <£(X), suppose that xo x xi, yo x yi, and Bf. x \xa, yo) 
hold. Let < 5 i, 82 , 7: Q + be arbitrary. We have that B x i+ x{x\{8\), xo(^)) and 
B*+5 2 {yo{-£)-> tfi(fc)) hold. We also have that B x +e (x o(^), ?/o(^)) holds. There¬ 
fore, B^ + 5 1+£+ 5 2 (a;i((5i), yi(S2)) holds. Because 7 was arbitrary, we get that 
Bf 1+e+S2 (xi(8i), yi(S2)) holds as required to show that B^ x \x 1, y\) holds. 

By the symmetry of x, we also get that B^ x \x 1, y\) => Bf (x \xo, yo) 
required. 

The following theorem shows that the completion of a metric space is a metric 
space. 

Theorem 9.20. If (X, x , B x ) is a metric space, then ^£(X), x , B e( - X ^ is a 
metric space. 

Proof. 

1 . Consider arbitrary < 5 i and 82■ By Theorem 9 . 3 , B x 1+ g 2+e (x(8i), x^)) holds. 
Therefore, B'f^ is reflexive. 

2 . Bf( x ^ is symmetric because B x is symmetric. 

3 . Suppose that Bf^ x \x, y) and B^ x \y, z) hold. Let 7 be arbitrary. Then 

Bf t+et+ 2(x(8 1 ), y(D) and Bf +£2+ ^ 2 (y(|), z(8 2 )) hold. Therefore, 

B x 1+ei+£2+S2+J (x(8{), y(82)) holds. Since 7 was arbitrary, B £l ^+ £2 (x, y) 
holds. 

4 . Given e, x, and y, suppose that V7. B £ +^(x, y) holds. Therefore, Vy^i 82, 
B£ +£+ * 2+7 (x(< 5 i), y(8 2 )) holds. Then Vfc S 2 . B£ +£+52 (x(< 5 i), y(S 2 )) holds, 
which is the same as B £ ^ A -*(x, y). 

5 . Given x and y, suppose that Ve. Bf < ' X \x, y) holds. For any e, Si, and 82, 

B x 1+e+ g 2 (x(8i), y(82)) holds. Then B x 1 +S 2 (x( 8 i), holds because e was 

arbitrary. Therefore, xxy. 

□ 

The following are useful theorems about the distance relation on regular functions. 
Theorem 9.21. If B x (x(ei), 3 /(^ 2 )) holds, then B £ /+J +£2 (x, y) holds. 


Proof. Let < 5 i and 82 be arbitrary. B x 1+£l (x(8i), x(ei)) and Bf 2+S2 {y(e 2 ), y{82)) 
hold. Therefore, B x ^ £ ^. £ ,^ 2 ^'^fx(8i),y{82)) holds. □ 


3 □ 
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Corollary 9.22. If B x 0 (x(ei), b) holds, then holds where b is the reg¬ 

ular function b := Xe.b. 

Proof. By Theorem 9.21 b \ holds for every £ 2 . Therefore, 

holds. 012 □ 

The following theorem shows that the distance relation, B^ X \x, y) is equivalent 
to \/5.B x +2S (x(S),y(6)). 

Theorem 9.23. For any e, if V6. Bf +2S (x(6),y(6)) holds, then B^ x \x , y) holds. 

Proof. For any S, B x + s(x(jJ, holds. By Theorem 9.21, B^ffi(x, y) 

holds. Since 5 was arbitrary, Bf ( ' X \x, y) holds. □ 

The following theorem shows that the completion of a prelength space is a pre¬ 
length space. 

Theorem 9.24. If is a prelength space, then >:, B^^ is a 

prelength space. 

Proof. By Theorem 9.20, all that remains is to show that the prelength space 
property is preserved. Suppose that e < 5\ + S 2 , and Bf (x> (x, y) holds. Let 7 := 
min l5l + g 2 ~ £ j. B x +2ry (x(j), y( 7 )) holds. There is some c such that 

B x 1 _ 1 (x( 7 ), c) and B x 2 _ 7 (c, y( 7 )) hold. So Bff x \x, c ) and B^ x \c, y) holds by 
Corollary 9.22 where c := A s.c. □ 

The completion operation preserves the located metric and stable metric properties. 

Theorem 9.25. If X is a located metric, then £(X) is a located metric. 

Proof. Let xy: £(X) be arbitrary, and let Se: Q + be such that 5 < e. We need to 
show that B^ x \x, y) V -iB^ x \x, y). Let 7 := Because X is located, then 
either B$ +3l (x( 7 ), y( 7 )) holds or ~^Bf +2l (x( 7 ), y( 7 )) holds. 

Suppose that Bf +3l { ^( 7 ), y( 7 )) holds. Then Bg^^x, y) holds by Theorem 9.21, 
which is the same as B x (x, y) as required. 

Suppose that ~^B x +2j (x( 7 ), y( 7 )) holds. Then, by Theorem 9.21, ->B^ x \x, y) 
holds as required. □ 


Theorem 9.26. If X is a stable metric, then £(X) is a stable metric. 
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We cannot expect to prove that completion operation preserves decidable metrics. 
The most obvious example is that (Q is a decidable metric, while it is known that 
one cannot construct the decidable metric property for C(Q) (which is R). 

Typically the completion of a space X is denoted by X. Because I wish to empha¬ 
size the monadic property of the completion, I use Fraktur Cl. 


9.5 Remarks 


9.5.1 Infinite Distance 

Often the definition of a metric space requires the distance between two points 
always to be finite. Because I will want to consider the space of all uniformly con¬ 
tinuous functions between two metric spaces as a metric space in Section 10.2, I use 
the more liberal definition. 


9.5.2 Dedekind Cuts 

Instead of using the distance relation B x as defined above, another possibility 
would be to use a relation of type X =>■ X => <Q + => *. This is just a rearrangement 
of the parameters to B x , so it does not appear to make a difference; however, you 
can also view it as a function of two parameters that returns a unary predicate on 
Q + . Axiom 4 and Theorem 9.3 imply that this predicate forms a closed uppercut 
of <Q + , thus the result of the function is a Dedekind cut. Define to be the non¬ 
negative Dedekind extended reals, or more specifically, the dependent record type 
of closed upper cuts of Q + , including the empty cut (meaning oo) and the full cut 
(meaning 0). One could then define a metric space by a metric function d x of type 
X => X => B^J" (and adjust the axioms of a metric space appropriately). Only a 
small amount of theory about the Dedekind reals is needed, addition but not multi¬ 
plication. Cauchy reals (R) would then be defined as a metric space whose distance 
function returns a non-negative Dedekind real. 

I attempted this approach. I tried to define equality and addition on B ( ^+ to show 
that (b£+, >C]d , Te> j is a monoid. This would have allowed me to reuse existing 
theorems about monoids that have been developed in the C-CoRN library. Unfor¬ 
tunately this does not work in Coq 8.0 because the fact that B^J" is a predicate 
forces B^jJ" into a higher universe level than is allowed by the C-CoRN 
library [CoRN, 2008]. Coq 8.1 allows more flexibility in universe levels for instances 
of inductive types. This could help alleviate some of the universe issues; however, I 
still fear that trying to use C-CoRN monoids for predicates will never work. To 
avoid universe level issues, I use the distance relation B x as given in Definition 9.1, 
and I do not use Dedekind reals at all. 
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9.5.3 Identity of Indiscernibles 

The distance relation can be used to define equality because 
(V £ .Bf(a,6))<^ax6 

holds. If the type X does not come with an equivalence relation, then an equiva¬ 
lence relation can be defined from the distance relation. This would make Axiom 5 
more of a definition than an axiom. 

Usually a type X comes equipped with its own equivalence relation used in other 
theorems. This is the case for <Q. Therefore I use the existing equivalence relation 
in order to be compatible with those theorems. Otherwise I would end up con¬ 
stantly swapping between two equivalent equivalence relations. 


9.5.4 Modulus of Continuity 

My definition of modulus of continuity maps e to S, while the usual mathematical 
definition of modulus of continuity maps 5 to e. The inverse of the usual definition 
bounds my definition of the modulus of continuity. My definition of the modulus of 
continuity is the standard one for constructive analysis, and is essentially the same 
as Bishop and Bridges’s definition [Bishop and Bridges, 1985]. 

9.5.5 Prelength Space 

A prelength space is a weaker notion than a length space. For example, the ratio¬ 
nal are not a length space because no two points can be connected by a continuous 
curve; however, the rationals are a prelength space. I chose the name prelength 
space because of an analogy with precompact spaces. When a precompact space is 
completed it becomes a compact space; when a prelength space is completed it 
becomes a length space. 

A possible alternative definition for prelength space would be to use the classical 
existential quantifier: 

WabeSi S 2 .e < <5i + S 2 => B?(a, b ) =► 3c. B£(a, c) A Bf 2 (c, b) 

The witness c is never used in any construction in my work. However, I will stick 
with the constructive existential for this part. If one uses the classical quantifier, 
one may need to add the extra assumption that the metric space has a 
stable metric to some of the theorems. 

In the Coq development, I used the Prop based existential quantifier. This special 
quantifier has the same constructive introduction rules that the constructive exis¬ 
tential quantifier has, but the elimination rule is restricted to be more like a clas¬ 
sical quantifier. The dependent pair is never allowed to be eliminated when con¬ 
structing a value of a Set kind (see Section 2.3.2). It can only be eliminated when 
constructing other Prop-kinded values (such as proofs of Bf(a,b)). 






Metric Spaces 


9.5.6 Notation for Projections of Dependent Records 

Recall that metric spaces (Definition 9.1) and uniformly continuous functions (Defi¬ 
nition 9.4) are represented by dependent record types. The distance relation B is 
actually a projection function that takes a metric space X and returns the distance 
relation B x . I won’t distinguish between the type Q and the metric space (Q, = . 
B'°~y, I will denote both as (Q. In fact, because I declared the dependent record 
Q_as_MetricSpace as a Canonical Structure [The Coq Development Team, 
2004], Coq is also able to infer the correct metric space from the type Q. In partic¬ 
ular, I will write the extraction of the distance relationship from a metric space as 
B (> bQ ) ag s j m piy #<Q This means that the notation B^ may either denote the 
actual distance relationship on Q as defined in Theorem 9.10, or it may denote the 
projection function for the distance relationship applied to the metric space (Q, = , 
B^y This ambiguity in my notation poses no problem because b^’~’ bQ - 1 reduces 
to B®. 

Similar notation will be used for the modulus of continuity, [if, and other depen¬ 
dent records. 



Chapter 10 

Completion Is a Monad 


The definition of a monad comes from category theory, but one does not need to 
understand the categorical definition of monads in order to use them. Given a type 
operation 971, a type of morphisms, and three functions, unit : X — > DJl(X). map : 
{X -> Y) =► (m(X) -> 97t(T)), and join : 97t(97t(J0) -> m(X) that satisfy the seven 
laws given subsequently in Section 10.1, the dependent record (971, unit, map, join) is 
a monad. The completion monad, <£, operates on metric spaces with uniformly con¬ 
tinuous functions. Notice that, although map is required to take and return uni¬ 
formly continuous functions (see Notation 9.5), it is not required to be uniformly 
continuous itself in order to form a monad. Later we will see that map is in fact 
uniformly continuous (Theorem 10.31). 

The unit function is the injection of X into <t(X). 

Definition 10.1. unit(a) := Xe.a. 

Notation 10.2. I will sometimes denote unit(o) by a. 

Theorem 10.3. For any a: X, unit(a) is a regular function, and unit is uniformly 
continuous with modulus I. 

The following two theorems show that the metric is preserved under this injection, 
and it is sound to think of x(e) as an approximation of x within e. 

Theorem 10.4. For any a, b, and s, B x (a, b) holds if and only if B^ x ^d, b'j 
holds. 


Theorem 10.5. For any s, Bf^ x ^x,x(e)^ holds. 

Proof. Let <5i and 62 be arbitrary. Because x is a regular function, B x 1+e (x{5\), 
x(e)) holds, but this is the same as B x 1+e ^x(Si), x(e)(S2) S j. By Theorem 9.3, 
B^ +£+52 ^x(<5i),x(e)((52)^ holds as required. □ 


The function join : £(<£(X)) —> <£(X) comes from the proof that the completion of a 
metric space is complete. 
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Definition 10.6. join(a:) := Ae.a:(|)(|). 

Theorem 10.7. For any x: £(£(X)), join(x) is a regular function. 

Proof. Let £\ and £2 be arbitrary. Because x is a regular function, (a;( , 

:c (t)) holds. Theorem 10.5, x (t)(t)^ holds, so all together 

B^+] 2 ^join(®)(ei), join(x)(e 2 )^ holds. By Theorem 10.4, D^ +£2 (join(x)(£i), 
join(a;)(£ 2 )) holds, so join(a;) is a regular function. □ 

Theorem 10.8. The function join is uniformly continuous with modulus I. 


Proof. Let £ and 8 be arbitrary, and suppose that X\ and 0*2 are such that B e (x±, 
xf) holds. We know that B i J,' X> (x l ^'j. holds by Theorem 10.5 and 


hence j holds by Theorem 10.4. Also sf 


xA —) holds by Theorem 10.5. Together this means that B$ 


3 ETj(|)(|) j holds. Therefore, ^(join(xi) (()), join(0^2)(<5)y holds. By two 

applications of Theorem 10.4, D^|_25(j°i n ( a; i)(^)) join(a?2)(A)) holds. By The¬ 
orem 9.23, D £ ^\join(xi),join(a;2)) holds as required. □ 


The function map: (X —> Y) => (£(A) —» (f(T)) lifts uniformly continuous functions 
on the base spaces to uniformly continuous functions on the completed spaces. 

Definition 10.9. map(/)(x) := Ae. 

Notation 10.10. I will sometimes write map(/) as f. 

Theorem 10.11. If f \ X —> Y and x: £(X) and 8 and e are such that 8 < 
then Bj(f(x(8)),f (x)(e)). 

Proof. Because r is a regular function, B x f ( E )(x{8), x ^ f ^ holds by The¬ 
orem 9.3. Because / is uniformly continuous, BY( f(x(8)), f(x( lJ ‘ f ^ J J J holds as 
required. □ 


Theorem 10.12. If f:X—>Y and x:£(X), then f (x) is a regular function. 
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Proof. Consider arbitrary e\ and £2. Let <5,; := p,f(£i). Without loss of generality, 
assume that <5i < 62- By Theorem 10.11, f (x)(£2)^j hold. By The¬ 
orem 9.3, B^ 1+£2 (/(x)(e 1), f (x)(e 2)) holds as required. □ 

Theorem 10.13. The function f is uniformly continuous with modulus . 

Proof. Let x, y, and £ be such that &£ffi(x, y ) holds. Let 6 := Consider 

arbitrary £1 and £2. Let Si := Let &[ := min (5, 5,). Because a; is a regular 

function, ^°^ s - Therefore, x(5{) ^ 

holds. Hence, B^f (x)(ei), /(a;(c>i))) holds because / is uniformly continuous. 
Similarly, Bf 2 (/(y(^)), / (t/)(£ 2 )) holds. 

By our hypothesis, 3/(42)) holds, and hence 

y((52)) holds. Again, because / is uniformly continuous, (/(ir(5i)), /(2/(5|))) 

holds. Therefore, B^ 1+£+S2 (f (a;)(£i), / (i/)(£ 2)) holds as required. □ 

There is an alternate definition for map that is more efficient. 

Definition 10.14. map , (/)(a;) :=foxofTf. 

However, there is a catch. The functions map and map' are only equivalent when X 
is a prelength space. Consider a case when X is not a prelength space. Let X be 
the space {—1} U {n -1 1 n: N+} and Y be the space {—2} U {n -1 1 n: N+} with the 

induced metrics. The function /: X —» Y sending —1 to —2 and n -1 to n -1 is uni- 
±i 

formly continuous with modulus Xe. e . Consider the regular function x that sends 
£ to —1 when 1 < £ and sends £ to some n -1 < £ when e < 1. In this case, 
map \f){x) is not a regular function. 

Theorem 10.15. Given f:X^Y where X is a prelength space and Y is a metric 
space, consider arbitrary a, b, £0,..., £ n _i. Let Si := Pf{£i), S := 5o + ... + S n -±, and 
£ := £0 +...+£„_i. IfB*(a,b) holds, then Bj(f(a), f(b)) holds. 

Proof. Let e n be arbitrary, and let S n := jj /(£«,)■ By Theorem 9.9, there are Co,..., 
c n+ \ such that B^ (c/, c, + 1) holds, a = Co, and b = c„+i. By uniform continuity, 
B)((/(cj), /(cj+i)) holds. Thus Bl +Sn (f(a), f(b)) holds. Since e n was arbitrary, 
BY(f(a), f(b)) holds as required. □ 

Theorem 10.16. If f: X —* Y where X is a prelength space and Y is a metric space 
and x:£(X), then map'(f)(x) is a regular function. 

Proof. Consider arbitrary £ 1 and £2. Let S t := ///(£*). Because x is a regular func¬ 
tion, b£ + $ 2 (x( 8 i), x(S2)) holds. By Theorem 10.15, B^ x+£2 {f{x{5\)), f(x(d2))) 
holds, which is the same as B^ +e 2 (map , (/)(£i), map'(/)(£2)) as required. □ 
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Theorem 10.17. The function map , (/) is uniformly continuous with modulus pg. 

Proof. Suppose that y) holds. Let 6 := flffff). Consider arbitrary e\ and 

£2- Let Si := M/( £ 0- Thus B^ + ^ + 5 2 (a;((5i), 2/(^2)) holds. By Theorem 10.15, 
BXi+e+cifbVi)), /(«)) holds. Therefore, B* (map 1 map / (/)(y)) 

holds. □ 

Theorem 10.18. For any f: X —> Y and x: X, where X is a prelength space, 
map'(/)(a;)xmap(/)(x). 

Proof. Let £1 and £2 be arbitrary. Let Si := pt}{£%)■ Because x is a regular func¬ 
tion, £?^ + «2^a;((5i), ^t)) holds and hence »£+*»(*(&),*( 2)) holds. By The¬ 
orem 10.15, B^ 1+£2 ^f(x(Si)), /( x (ir))) holds which is the same as 

Bf 1+e2 (map , (/)(a;)(£i),map(/)(a;)(£2)) as required. □ 

Notice that map' not only avoids dividing the modulus by 2 in its definition, it also 
avoids dividing by 2 in the modulus of continuity of /. The metric spaces we typi¬ 
cally work with are prelength spaces, so in practice we use map' instead of map. In 
fact, this entire project was developed using map' first. It was only after 
reading “Real numbers and other completions” [Richman, 2008] that I learned how 
to write map without requiring the assumption that X is a prelength space. 

The function bind : (X —> C(V)) => (£(X) —> £(F)) is defined in terms of join and 
map in the usual way. 

Definition 10.19. bind(/) :=join o map(/). 

Notation 10.20. I will sometimes denote bind(/) as f. 

Similarly there is an equivalent bind'. 

Definition 10.21. bind'(/) :=join o map'(/). 


10.1 Monad Laws 

To prove that completion forms a monad, we need to verify that the seven monad 
laws [Wadler, 1995] hold. 

Theorem 10.22. Ixl. 

Proof. Let x : £(X) be arbitrary. Because a; is a regular function, B'f, +e2 ( x (^-)- 
ie(£ 2)) holds. Hence B^ +e2 (l(a:)(£i),I(a;)(£2)) holds and I(x)>cl(x) as required. □ 
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Theorem 10.23. Vg: X —> Y.Vf: Y ^ Z. f o g x/oj. 

Proof. Let £i, e 2, and x: C(X) be arbitrary. Let Si := Let 7 := min 

By Theorem 10.11, R^S^x^)), 5( x )(ir)) holds and hence 

Bl 2 (^g(x(^)), holds. From this we know that Bf 2 (f(g(x(^)), 

fog(x)(e 2 )) holds. 

Again, by Theorem 10.11, Rfj((/ o g)(x(j )), fog(x)(e 1)) holds. Therefore, by 
the triangle law, Rf 1+£2 ( fog ( x){e\ ), / o g (x)(£2)) as required. □ 

Theorem 10.24. V/: X —> Y. f o unit x unit o /. 

Proof. Let £ and x: X be arbitrary. We have f (x)(e) = f(x) and f(x)(s) = f(x), 
so / (x) x /(x) holds as required. □ 


Theorem 10.25. V/: X —> Y. f o join xjoin o map(/). 


Proof. Let £1, £2, and x: £(£(X)) be arbitrary. Let := fj,f(s 1), S 2 := /x/(^), and 
(5 := min By Theorem 10.5, R x! ^x^^ ^• x \ holds. By Theorem 10.4 


and Theorem 10.5, 4 ’), ^(t )J holds. Therefore 

R^( C ( X ))^a:^^-^^^, x^ holds. Because 5 < Bf^ x ^(^x, x(S)(S)^ holds by 

similar reasoning. This means that Bjj[^s^ ^4' )• x (^)(^)) holds by the 
triangle law and Theorem 10.4. Because / is uniformly continuous, 
Rr i (/(x(|)(^ 1 )), f(x(S)(S))) holds. 

Because 5 < y, we can conclude that B^ e ^ x ^fx(S)(S),x') holds by reasoning sim¬ 


ilar to the above. We 


also conclude that Bfs^ X \ 



holds by 


the same kind of argument. Again, 

r£(x(5){5), *(t)(t)) holds - 

B^{f(x(S){S)), /(*(f)(f))) 

f (<*)($))) ^ 


by the triangle law and Theorem 10.4, 
Because / is uniformly continuous, 
holds, and hence B] 2 (^f(x(S)(6)), 


By putting these two results together, we get Rj 1+e2 ^/^x^^-^^-^, 
/(z(x)(ir)))’ which is exactl y ^r i+ , s (/(joi n (o ; ))(£i),join(map(/)( ;5 )-)(£2)) as 
required. □ 
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Theorem 10.26. join o unit x I. 

Proof. Let £i, £2, and x: £(X). be arbitrary. Since a: is a regular function, 
+E2 (x(y)> x ( £ 2 )) holds and therefore -B^ +£2 (a;( x { £ 2)) holds. But this is 
exactly B^ +£2 (join(f )(ei),I(a;)(£2)) as required. □ 

Theorem 10.27. join o unit xl. 

Proof. Let e\, £2, and x: £(X). be arbitrary. Since a; is a regular function, 
Bik + e 2 (a ; (^)) x { £ 2)) holds and therefore B^ +£2 (a;(^), #(£2)) holds. But this is 
exactly B^ +E2 (join(unit(x))(ei),I(a;)(£2)) as required. □ 

Theorem 10.28. join ojoin x join o join. 

Proof. Let £1, £2, and x: £(£(£(X))) be arbitrary. Since a; is a regular function, 
x (t)) ^°^ s - This means that Bf^l^a;^)^), x (^-)(^)) 
holds, which in turn means :e (t)(t)(t)) ^°^ s - There¬ 
fore B^ +£2 (a;(^)(^)(^), *(t)(t)(t)) holds, but this is exactly 

B^ +£2 (join(join(a;))(£i),join(join(x))(£2)) as required. □ 

Twice completing a metric space is isomorphic to completing it once, 
£(£(.A)) <-> £(X). A monad with this property is called an idempotent monad. The¬ 
orem 10.26 gives half of this isomorphism. The following theorem (which is not a 
monad law) completes this isomorphism. 

Theorem 10.29. unitojoinxl. 

Proof. Let £1, £2, <5i, and 62 be arbitrary. Let x: £(£(X)) be arbitrary. Because x 
is a regular function, B% l+£2 +5 2 (•' z: (t)(t)’ *(ea)(&)) holds. Hence 

B£ +£l+£2+52 (join(a;)(<5i), x(e 2 )(S 2 )) holds. Therefore B£ +£l+£2+( 5 2 (join(a;)(£i)(<5i), 
*(£2)(£2)) holds, which means that unit(join(a;)) x x as required. □ 

10.2 Lifting Binary Functions 

The function map can be used to lift unary functions from X —* Y to <£(X) —4 £(T); 
however, one also wants to lift multi-argument functions such as binary functions. 
One can lift curried binary functions on base spaces to curried functions on com¬ 
pleted spaces, but one first needs to consider the space of uniformly continuous 
functions as a metric space. This is done using the supremum metric. 
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Theorem 10.30. For any two metric spaces ( X , x , B x ) and ( Y , x , B Y ), the 
space of uniformly continuous functions from X to Y, {X —* Y, x , B X ^ Y ), is a 
metric space where B x ^ Y (f, g) := Va, Bj(f(a), g(a)) and with the equivalence 
relation fxg := Va. /(a) x g(a). 


Proof. All the properties of B x_>r follow directly from the same properties for 
B y . □ 


Unfortunately, the space of uniformly continuous functions between two prelength 
spaces is not necessarily a prelength space. Consider the space of curves on the unit 
circle, [0,1] —> S 1 . Consider two curves connecting two points where one goes clock¬ 
wise and the other goes counter-clockwise. If [0,1] —> S 1 were a prelength space, 
then there would be a curve about halfway between these two curves; however, 
there is no such curve. 

Fortunately, one can still lift curried functions using the more efficient map', 
because the theorem that the result of map' is a regular function, Theorem 10.16, 
requires only that the domain be a prelength space. With curried functions (say 
X — k {X —> X)), it is the range that may not be a prelength space. The domain is 
still the prelength space X, so Theorem 10.16 applies. 

A monad 9Jt is a strong monad when there is a morphism strength : X x 9Jl(F) —» 
9)l(X x Y) satisfying particular laws [Moggi, 1989]. In Section 13.1, we will see that 
metric spaces are Cartesian, meaning that we can take the cross product of two 
metric spaces. We will also see that £ is a symmetric monoidal monad, and there¬ 
fore, £ is a (commutative) strong monad. If metric spaces formed a Cartesian 
closed category, then strength could be used to prove that map is a mor¬ 
phism [Kock, 1972]. Unfortunately, our category of metric spaces is not closed 
because evaluation is not uniformly continuous (see Section 10.3.2). Therefore, we 
must prove directly that map is uniformly continuous. This is known as functorial 
strength. 


Theorem 10.31. Let X and Y be metric spaces. Then map : (X —* Y) —> 
(£(X) —> £(U)) is uniformly continuous with modulus I. 


Proof. Let e be arbitrary. Suppose that /i fi'.X^Y are such that B X ^ Y (f\, 
/2). Let ero and x: £(X) be arbitrary. Let do := min an< ^ a := 

x(do). We know that B% Y> ( fj (x), fi(a)) holds by Theorem 10.5 and uniform con¬ 
tinuity. By Theorem 10.24, fi(a) x fi(a). By Theorem 10.4, B^ V) ^ f\ (a). /2(a)) 
holds, so all together 7 ?^£^(/ i ( x ), h(x)). Since eo and x were arbitrary, 

B f cX) ^ £{Y )(fi, h) holds as required. □ 


Corollary 10.32. Let X be a prelength space and Y a metric space. Then map / : 
(X —> Y) —> (£(A”) —> £(U)) is uniformly continuous with modulus I. 
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We also want to construct the function ap : €(X —>Y)—> £{X) —> C/T), which one 
can think of as a function that takes the limit of uniformly continuous functions 
(see also Section 12.1.3). Again, if we were in a Cartesian closed category, then we 
would be able to define ap using map, but because the category of metric spaces is 
not Cartesian closed, we define ap directly. 


Definition 10.33. ap(/)(a:):= Ae. map(/(|))(a:)(|). 


Theorem 10.34. For any f: (£(X —> Y) and x: £(X), ap is a regular func- 


Proof. Let e\ and £2 be arbitrary. Let /,; := / (y). Because / is regular, 
ff) holds. Let y* := fi(x). By Theorem 10.31, 1/2) holds. By 

Theorem 10.5, sfP^yi(y), y ^ holds. All together B £ ( y ] 2 ^yi(y), 2/2(^^ 
holds. By Theorem 10.4, ^), y 2 (y)) holds as required. □ 

Theorem 10.35. For any f : <L(X — > Y), x:<£{X), ande, B^ Y \ap(f)(x), /(?)(,;•)) 
holds. 


Proof. Let e\ and e 2 be arbitrary. Let f\ := /(y) and / 2 := /(e). Because / is 
regular, B x f Y (/l, /2) holds. By Theorem 10.31, B?f^(/i(x), h( x )) holds. By 

Theorem 10.5, Bfi y) ^/i(a;)(y), /i(x)^ and B^ Y ^f 2 (x), / 2 (a;)(e 2 )^ hold. All 

together /i(a:)(y). / 2 (a:)(£2)^ holds, and by Theorem 10.4, 

Br i +£+ £2 (/i(®)(y), / 2 (ar)(e 2 )) holds. Therefore, B? (y) (ap(/)(a;), / 2 (x)) holds as 
required. □ 


Theorem 10.36. For any f: £(X - 

...... w 


y> ap(/l 


uniformly continuous with mod- 


Proof. Let e be arbitrary, and let 5 := /r^£y(|). Suppose that X\ and x 2 are such 
that Bf^ x \x 1, x 2 ) holds. Then, by Theorem 10.13, Bf (Y) (^ f(^)(xi), /(f )(# 2 ) j 
holds. By Theorem 10.35, Bf ( ' X ^ap(f)(xi), /(f)(®i)) holds. Together this means 
that Bf < ' Y \ap(f)(xi), ap(/)(a; 2 )) holds as required. □ 


Theorem 10.37. The function ap is uniformly continuous with modulus I. 
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Proof. Let e be arbitrary. Suppose that fa and fa are such that Bf 


Vu h) 


holds. Let x: C(X) and 6 be arbitrary. Because fa and fa are regular functions, 
fa^j')') holds. Therefore, by Theorem 10.31, Bf ^ fa ^|^(sk|| 

/ 2 (|)(a;)^ holds. By Theorem 10.35, sf^ F ^ap(/,)(x), )(a:)^ holds. Together 

this yields .B^?(ap(/i)(ar), ap(/ 2 )(ar)), and since 6 and x were arbitrary, 

B e ( ap(/i), ap(/ 2 )) holds as required. □ 


Theorem 10.38. For any f\X^>Y, ap^/^x/. 


Proof. Let s\, e 2 , and x: £(X) be arbitrary. Because / (x) is a regular function, 
B£l +E 2 (J f(x)(e 2)) holds and hence B* +£2 (f (x)(^-), f {x)(e 2 )) holds. 

Because ap(/)(aO(ei) = we have - B ?i+e 2 (ap(/)(a;)(ei), /(a;)(e 2 )) as 

required. □ 


By using ap, we can define a map2 function that lifts a curried function /: X —» 
Y^Z to map2 {f):£(X)^£(Y)^£{Z). 


Definition 10.39. map2(/) := ap o map(/). 


Other functions can be made to lift n-ary functions by repeated use of ap and map. 

We also define equivalent versions of ap and map2 that use map', which work when 
the appropriate domains are prelength spaces. 

Definition 10.40. ap'(/)(a:) := Ae. map'(/(|))(x)(|). 

Definition 10.41. map2 , (/) := ap'o map'(/). 

The same theorems that hold for ap also hold for ap' with the exception that the 
modulus of continuity for ap '(/) can be improved. 

Theorem 10.42. For any f: <t(X —> Y), ap'(/) is uniformly continuous with mod¬ 
ulus A £./Z^!)(|-). 


Proof. This proof is similar to the proof of Theorem 10.36. The improved modulus 
of continuity is a consequence of improved modulus of continuity for map' given by 
Theorem 10.17. □ 
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10.3 Remarks 


10.3.1 Curried Uniformly Continuous Functions 

There is an advantage to using curried functions over using uncurried functions. 
Consider some function f:X—>(Y—>Z). The result of applying / to some value a: 
X is itself a uniformly continuous function /(a): Y —> Z. The advantage is that the 
modulus of continuity of /(a) is allowed to depend on the value of a. This means 
that when map2(/)(a;)(y): €(Z) is approximated to within e, the computation will 
first approximate x: €(X) to within then y: <L(X) will be approximated by 

using a modulus that depends on the approximation of x. The extra information 
given by the approximation of x can potentially be used to save work by reducing 
accuracy required from y. If / were uncurried, X x Y —> Z, then one modulus of 
continuity for / would need to apply uniformly for all (x, y): X xY. 

This advantage does not work symmetrically in the two parameters of a uniformly 
continuous function. When the value map2 (f)(x)(y): <t(Z) is approximated, the 
approximation for x: <t(X) cannot depend on the value of the approximation of y: 
C(Y) because of the way that the parameters are ordered. Therefore, one should 
consider the order of the parameters of uniformly continuous functions in order to 
have optimal efficiency. 

I believe we could define curry : {X xY—>Z)=>X—>Y—>Z. However, I do not 
believe that we can define uncurry : (X —>Y —> Z) =$> X xY —> Z because there is no 
way to construct a uniform modulus of continuity from the X-indexed set of uni¬ 
formly continuous functions. Since I work with curried functions directly, I did not 
pursue the development of curry. 


10.3.2 Cartesian but not Closed 

Theorem 9.7 showed that metric spaces form a category. In Section 13.1, we will 
show that this category is Cartesian, meaning that we can take the cross product of 
two metric spaces. However, this category is not closed because we cannot con¬ 
struct a uniformly continuous eval : X x {X —> Y) —> Y function. The problem is 
that we cannot find a modulus of continuity for eval that works uniformly for all 
inputs. In particular it has to work for all /: X —> Y. Suppose /j e vai did exist. Then 
given a and b such that B* b ) holds, then £?^(eval(a, /), eval(6, /)) would 

hold. But this would be equivalent to T3 y . (f (a)< f(b)), which means that /x ev ai 
would be a modulus of continuity for /. However, / was arbitrary. We do not have 
one modulus of continuity that works for every function, so this is impossible. A 
similar argument shows that there is no uniformly continuous compose : (Y —> Z) x 
{X —> Y) —> X —> Z function, so the category is not an enriched category over itself 
either. 
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If we worked with a restricted set of uniformly continuous functions that all shared 
one global modulus, for example, the set of uniformly continuous non-expansive 
maps, then we would have a Cartesian closed category. In this case, eval would be 
uniformly continuous with the global modulus, and any function in the simply 
typed lambda calculus could be interpreted in this category [Lambek, 1980]. 


10.3.3 Errors Found During Formalization 

I completed paper proofs of the previous theorems before formalizing them in Coq. 
I published these paper proofs in Mathematical Structures in Computer Sci¬ 
ence [O’Connor, 2007]. Because of this preparation, the process of computer for¬ 
malization was straightforward. Still, a few errors were uncovered during formaliza¬ 
tion. These errors have been corrected in this thesis. 

Most errors found were very minor. For example, my original proof of The¬ 
orem 9.24 failed to consider the case when 7 is too big. Problems with epsilons 
being too large were easy to fix. Coq did catch one more substantial error in my 
original proof of Theorem 10.8 with the error message. 

Error: Impossible to unify 
"ball (m:=Complete (Complete X)) ((1 # 2) * dl) 

(Cunit (Cunit (x ((1 # 2) * dl)°/,Qpos) ((1 # 2) * dl)7,Qpos)) 

(Cunit (x ((1 # 2) * dl)7,Qpos))" with 
"ball (m:=Complete (Complete X)) ((1 # 2) * dl) 

(Cunit (Cunit (x ((1 # 2) * dl)7»Qpos ((1 # 2) * dl)7«Qpos))) 

(Cunit (x ((1 # 2) * dl)7oQpos))" 

It may take you a moment to find the difference between these two expressions. I 
had bitten off a bit more than I could chew when I tried to conclude 
x *(h)(f directly. Although it does hold, it took one more step in reasoning 
than I had originally figured. 

I also found one “error” in my Coq proof during the final preparation of this 
chapter. Of course, it was not a logical error because Coq would not allow that. 
Instead it was an efficiency error. When creating ap', I had neglected to give it its 
better modulus of continuity found in Theorem 10.42, and instead had given it the 
same modulus found in Theorem 10.36. This “error” has been corrected in the Coq 
code. 





Chapter 11 
Real Numbers 


Using the completion monad, it is now easy to define the real numbers. 

Definition 11.1. R:=<£(Q). 

Functions operating on the real numbers can be created by using map' or bind' to 
lift uniformly continuous functions operating on the rationals. This is the advan¬ 
tage of using the monad functions. It is often easier to define a function on the 
rationals than on the reals, because it is possible to decide for two rational numbers 
a and b which of a < b, a = b, or a > b hold. The real numbers do not have this 
property. 

Theorem 11.2. 

• For all a: <Q, the functions Xb: Q.a + b and Xb: (Q. —b are both uniformly con¬ 
tinuous with moduli I. 

_L a 

• For all a: <Q, A6: Q. 6 is uniformly continuous with modulus I. 

• For all a: <Q, Xb: Q. b is uniformly continuous with modulus I. 

• The function A6:<Q. |6| is uniformly continuous with modulus I. 

• For all a: Q, Xb: Q.a b is uniformly continuous with modulus Xe. (or 

Xe.oo in the case when a = 0). 

By using map', all of these unary functions can be lifted to functions on 1R. For the 
moment, one of the arguments to the binary functions + , • , min and max must be 
rational. For example, for any a: Q, the unary function map' (Xb: Q.a + b) : R —» 1R 
is the function that translates by the rational number a. 

At this point, one can see why regular functions work better than regular 
sequences. For multiplication by the constant a: Q, the modulus of continuity is 
Xe. jU. This means that when map'(A6.a h)(x) is approximated by e, then x is 
approximated by -^j, which is precisely the minimum approximation needed from x. 
If one used regular sequences, then one would need to round -A down to the 
nearest number of the form — before proceeding. Extra work may be done because 
x is over-approximated. For a deep computation, all these over-approximations 
could multiply causing significant excess work. 
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11.1 Binary Functions of Real Numbers 

One can use map2' to lift addition to operate on R. 

Theorem 11.3. The function Xa: (Q.A6: (Q.a + b is uniformly continuous from <Q 
to <Q —* Q with modulus I. 

The definition of addition on R is 

Definition 11.4. x + y := map2'(Aa: (Q. Xb: (Q.o + b)(x, y). 


The definition of multiplication on R is a little more complicated than for addition. 


Theorem 11.5. For any c: (Q + , the function Xa.Xb.ab is uniformly continuous 
from <Q to Q—> Q with modulus Xe. 

Proof. Let ao, ar. Q be such that R?(a o, ai) holds. This means c |oo — ai| < e 
holds. Let b: (Q be arbitrary. Because 6_ < c holds, we have that 

I J_ c I J_c I 

6 ^ |ao — ai | < e holds. Therefore, ao b^ — ai b^ < e holds, which is the same 
asR^^ao^ ,a\b Y Thus A6.ao6 ,Xb.a\b \ holds as required. □ 


The definition of multiplication for x, y: R is 


Definition 11.6. xy:= map2 , ( Xa.Xb.ab 


( x , y), where c:= |y(l)| + 1. 


Because multiplication is not uniformly continuous, some closed interval containing 
y must be found. This requirement is reflected in the fact that c is used in the defi¬ 
nition of the modulus of continuity in Theorem 11.5. 

This definition of multiplication is asymmetric because only y is bound by a closed 
interval. The typical definitions of multiplication in exact real arithmetic imple¬ 
mentations find closed intervals for both x and y. My definition is the natural defi¬ 
nition of multiplication that one gets when one uses monad operations. It saves one 
from the unnecessary work of finding a closed interval for x. Also notice that when 
approximating x y, how well y needs to be approximated depends on the value of 
the approximation of x. These two considerations mean that one should try to 
multiply two real numbers in the best order in order to allow the approximation of 
x y to be as efficient as possible. 
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11.2 Inequalities 

Inequality is defined in terms of non-negativity and is analogous to the definition 
that Bishop and Bridges [Bishop and Bridges, 1985] use. 

Definition 11.7. a; € E 0+ := Ve: Q + . -e <q i(s) . 

Definition 11.8. x <r. y := y — x £ R 0+ . 

Strict inequalities are defined in terms of positivity. The obvious definition of posi¬ 
tivity is dual to the definition of non-negativity, 3e: (Q+.e <q x(s). This would be 
analogous to the definition given by Bishop and Bridges [Bishop and Bridges, 
1985]. However, I have found an alternative definition to be better. 

Definition 11.9. x G R + := 3e: (Q+. e <rx. 

Definition 11.10. x <r y := y — x £ 1R + . 

To compute the reciprocal (see Section 11.3) or the logarithm (see Section 11.4) of 
a real number x, one needs a rational number strictly between 0 and x. This is 
exactly what the witness in my definition provides. To find the same value using 
the definition from Bishop and Bridges [Bishop and Bridges, 1985], one needs to 
compute x(e) — e, which is a potentially expensive computation. 


11.3 Reciprocal 

Not all functions that one wishes to represent are uniformly continuous. One 
example of a non-uniformly continuous function is the reciprocal function, Ax.x -1 . 
Bishop and Bridges [Bishop and Bridges, 1985] define a continuous function as a 
function that is uniformly continuous on every compact interval in its domain. The 
general idea is, for each x, to find a domain containing x that the function is uni¬ 
formly continuous on, and clamp the input to that domain. 


Theorem 11 . 11 . For every a: (Q + , Ax. ^x ^ and Ax. ^x ^ are uniformly 

continuous from Q fo Q, and both functions have a modulus of continuity of 
A e.ea 2 . 

One can now define x -1 for any x: R such that (x < 0) V (0 < x). 

Definition 11.12. Suppose that 0 < x. Then there exists some a: <Q such that 
0 < d < x. In this case, define the reciprocal as 
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■■:=map'(A6.(y 1 } 


(*)• 


Similarly if x < 0, then there exists some a: Q such that x < a < 0. In this case, 
define the reciprocal as 


{x). 


It is important to note that the result is independent of the choice of a. 
Theorem 11.13. If 0<do<a; and 0<di<x, then 


map'l Xb. ( b 


(. x ) x map'! Xb. I b 


(*)■ 


Notice that the larger the value of o, the larger the modulus of continuity is. The 
larger the modulus of continuity is, the more efficient the lifted function is, because 
less work is done when approximating the input. Therefore, it is helpful to find as 
large an a as is reasonable when proving that x is positive (or negative). 


11.4 Power Series 

Other elementary functions can be defined in terms of power series. The limit of a 
convergent sequence can be constructed if the modulus of convergence is known. It 
is particularly easy to compute the limit of an alternating decreasing series. 

Theorem 11.14. Suppose that lim a n = 0, a n is alternating, and V i. 

|aj+i| < \ai \- 11 - 1 Let x(s) := ^ a*. Then x is a regular function. 

{ i . £ < a,-1 } 

Definition 11.15. Given the conditions of Theorem 11.14, define a i :=x - 

We can also easily compute the limit of a sub-geometric series. 

Theorem 11.16. Given any c: Q such that 0 < c < 1, suppose that a n is a series 
such that Vi. |oq+i| < c \ai\. Let x(e):= ^2 ai- Then x is a regular function. 

11.1. The definition of lim a n = l is Ve: Q+. Bn.Vm > n. \a m — l \ < e. 
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Definition 11.17. Given the conditions of Theorem 11.16, define X^o a i :=x - 

The power series of several elementary functions are alternating and decreasing on 
small rational inputs. 

Definition 11.18. 

• For —1 < o < 0, expq(a) := X^o fr- 

• For —1 < a < 1, sin<Q(a):= X)£ 0 (~1)* J+i). ■ 

• For —1 < a < 1, tariQ 1 (a) := X^o ( —1 )*frfT • 

These functions can be extended to all rationals in their domains by repeated 
applications of the following formulas to reduce input into the above domains. 

expq(o) x ex Pq(|) 
expq(a) X exp^-a) 
sinq(a) X 3sin Q(§) ~ 4sin 3h(|-) 
tanq 1 (a) x -tan q X (-o) 
tan, u '(a) x --tan^^a -1 ) (for0<a) 

tanq 1 (a) X J + tan^^j^ (for0<a) 

The real number 7r can be defined in terms of tan^ 1 in several ways. Below is a def¬ 
inition that uses particularly small inputs to tan^ [Williams, 2002]. 

Definition 11.19. 

7T := 176 + 28 tan^(^) - 48 tan^(^) + Qetan^^). 

The power series for tanh -1 is sub-geometric. 

Definition 11.20. For -l<a<l, tanhq 1 (a) := X^o 2i+i ' 

The function cosq can be easily defined in terms of sing, and Inq can be defined in 
terms of tanhq 1 . 

cosq(o) := l-2sin^|) 

SS) : = 2tanh «(^) 

In order to improve efficiency, the input for In is reduced to the interval 2J by 
repeated applications of the following formula: 

Ma)xln Q (0 + ln q (2) 
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Theorem 11.21. The functions siriQ, cosq, and tan^ 1 are uniformly continuous 
on Q with moduli I. 


Theorem 11.22. For every a: 7L, A b: <Q. exp<Q^& J is uniformly continuous with 
modulus \e.e2 a ifa< 0 and with modulus \e.e2F if 0<a. 

Theorem 11.23. For every a: <Q + , A b: (Q. In<q^& ^ is uniformly continuous with 
modulus Xe.e a. 


These functions can all be lifted, using bind', to functions on 1R or whatever their 
domains are. The non-uniformly continuous functions exp and In are defined the 
same way that multiplication and the reciprocal were defined. 


Definition 11.24. exp(a:) := bind'f A6: Q. expq 


^(x) where c:= [aj(l), + 1]. 


Definition 11.25. Suppose that 0 < x. Then there exists some a: Q such that 
0 < a < x. 


ln(a):=bind'(A&.ln Q (& ))(a). 


Other elementary functions could be defined in terms of the elementary functions 
given above, but I have not pursued this yet. 


11.4.1 Summing Series 

One of the more challenging aspects of the formalization was computing the infinite 
series in an efficient manner. I needed to convince Coq that the procedure of accu¬ 
mulating terms until the error becomes sufficiently small will terminate. To do this, 
I provided Coq with an upper bound on the number of terms that would be 
required. I tried two different methods to accomplish this. 

The first method computes an upper bound on the number of terms needed as a 
Peano natural number. The problem is that the call-by-value evaluation scheme 
used by Coq’s virtual machine would first compute this value before computing the 
series. This upper bound is potentially extremely large, it is encoded in unary, and 
only a few terms may actually be needed in the computation. My solution to this 
problem was to create a lazy natural number data type using the standard trick of 
placing a function from the unit type inside the constructor to delay evalua¬ 
tion [Mitchell, 2003]. 
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Inductive LazyNat : Set := 

I LazyO : LazyNat 

I LazyS : (unit -> LazyNat) -> LazyNat. 

Figure 11.1. Inductive definition of lazy natural numbers for Coq. 

When a lazy natural number parameter is passed to a function under the call-by- 
value evaluation scheme, the parameter will be evaluated to weak head normal 
form. This means that if the number is of the form LazyS f , then the f term will 
be reduced to fun () => m, but the body m will not be evaluated. If m has a very 
large normal form, then this delay will prevent the term from being expanded. 
Only when f is forced, by evaluating f (), will the body be evaluated to the next 
constructor. If f () is never evaluated, then the work of fully evaluating the 
number is avoided. 

By using this delaying and forcing technique, only the number of constructors 
needed for the recursion are evaluated. Care is needed to only force evaluation 
when necessary in order to avoid accidentally normalizing the entire (extremely 
large) lazy natural number. 

A second method, suggested by Benjamin Gregoire [Gregoire, 2007], is to compute 
the number of terms needed as a binary number. This prevents the term from 
becoming too big. It is possible to do recursion over the binary natural numbers 
such that two recursive calls are made with the output of one recursive call being 
threaded through the other. In this way, up to 2" recursive calls can be made even 
though only n constructors are provided by the witness of termination. 

In the simplified example below, think of F as a function that we would take the 
fixed point of if we had general recursion available to us. The function 
iterate_pos n is n iterations of F. Continuation passing style is used to thread the 
recursive calls. 


Variable A R : Type. 

Variable F : (A -> R) -> A -> R. 

Fixpoint iterate_pos (n:positive) (cont: A -> R) : A -> R := 
match n with 
I xH => F cont 

I xO n’ => iterate_pos n’ (fun a => iterate_pos n’ cont a) 

I xl n’ => F (fun a => (iterate_pos n’ 

(fun a => iterate_pos n’ cont a)) a) 

end. 

Figure 11.2. The Coq function iterate.pos iterates F a given number of times. 

The ty-expansions of the continuations in the above definition are important, other¬ 
wise the virtual machine would compute the value of the iterate_pos n’ cont 
calls before reducing F. This is important because the idea is that F rec a may 
not utilize its recursive call, rec, depending on the value of a. 
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If Coq’s virtual machine supported lazy evaluation, none of these tricks would be 
needed. A standard Peano number could be used as the witness of termination, and 
it would only be evaluated as far as the number of recursive calls need. 

11.4.2 7 r 

A common definition of 7r is 4 tan _1 (l). This is an inefficient way of computing 7r 
because the series for tan -1 (l) converges very slowly. My definition of 7r (Defini¬ 
tion 11.19) can easily be shown to be equivalent to 4 tan -1 (l) by repeated applica¬ 
tion of the arctangent sum law: 

if a,b£ ] —1,1[ then tan -1 (a) +tan _1 (6) x tan -1 

To apply the arctangent sum law, one needs to repeatedly verify that a and b lie in 
] —1, 1[. To prove this, I wrote a Coq function to iterate the function f(b) := ® 1 ^ h . 
and at each step verify that the result is in the interval ] —1, 1[. This function, 
called ArcTan_multiple, has type 

Va: Q. — 1 < a < 1 => Vn.T V (ntan -1 (:r) xtan -1 ^/( n) (0)^. 

It is easy to build a function of the above type that just proves T in all cases, but 
ArcTan_multiple tries to prove the non-trivial result if it can. 

To apply this lemma, I use a technique called reflection [Barendregt and Geuvers, 
2001]. The idea is to evaluate the ArcTan_multiple(o, r, n) into head normal form. 
This will yield either left(g) or right(p). If right(p) is returned then p is the 
proof we want. 

My first attempt at building a tactic to implement this did not work well. I used 
Coq’s eval hnf command to reduce my expression to head normal form. However, 
this command repeatedly calls simpl to expose a constructor instead of using the 
evaluation mechanism directly. The problem was that simpl does extra reductions 
that are not necessary to get head normal form, and using eval hnf was too time 
consuming. 

Instead, I built a generic reflection lemma, called reflect_right, to assist in 
applying the ArcTan_multiple function: 

\/z: A V B. (if z then T else T) => B 

This simple lemma does case analysis on z. If z contains a proof of A, it returns a 
proof of B. If t contains a proof of B. it returns a proof of T •=?. B. To prove 
ntan _1 (a) xtan _1 (/^”^(0)) for the example where a : = — andn:=176, one applies 
ref lect_right composed with ArcTan_multiple to reduce the goal to 

if (ArcTan_multiple * 176) then _L else T, 

where * is the trivial proof of — 1 < ^ < 1. One then normalizes this expression to 
either T, if ArcTan_multiple succeeds in finding a proof, or J_, if it fails. 
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11.5.1 Compression 

Without intervention, the numerators and denominators of rational numbers occur¬ 
ring in real number computations become too large for practical computation. To 
help prevent this, I defined a compression operation for real numbers: 

compressors) := approxq^x^^, d 

where d: 7L is the smallest integer such that ^ f and approx<Q(a, d) returns some 
rational number within 1 of a. The idea is that approx^fa, d) quickly computes a 
rational number close to a but having a smaller numerator and denominator. In my 
implementation, I return where n is chosen appropriately so that L is within 1 
of a. 

In any rational interval \p. q ] there is a unique simplest rational number L where 
simplicity is measured by |n| + |d|. However, finding the simplest rational number 
is roughly equivalent to a GCD computation. This is too expensive to compute, so 
I use the faster approximation method given above. 

The compress function is equivalent to the identity function on R. 

Theorem 11.26. For any x:lR,, compress(iE) x x. 

Generous use of compress usually increases the efficiency of real number computa¬ 
tion. I recommend that you pass every function’s input through compress first 
unless you have reason not to. 

There is one extra property that I will require from approxQ in Section 11.5.2. The 
approximation of a rational number will never drop below an integer. 

Theorem 11.27. For any z\7L cmda:(Q, if z<a then Md.z < approx<Q(a, d). 


11.5.2 Square Root 

Although one can define yfx as exp^i ln(;r) j, the square root function is common 
enough to warrant its own more efficient definition. If a: Q is such that 1 < a < 4, 
one can compute \fa by taking the limit of Newton approximations. Let the first 
approximation be bo := " 2 . and define successive approximations by bi+\ := 
approxQ ^^ 6 * , 2 2 ’ +1+1 ). The first approximation has an error of at most i. Each 
successive approximation squares the error. 
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Theorem 11.28. For any a: (Q, such that 1 < a < 4, let x(e) := b n , where n is the 
first natural number such that 2~ 2n <e. Then x is a regular function. 

Proof. Firstly, it suffices to show that for all n, ( b n — 2 -2 ’ 1 ) 2 < a < (b n + 2 -2 ’ 1 ) 2 
and 1 < b n hold. To see this, suppose (b n — 2 -2 ’ 1 ) 2 < a < (b n + 2 -2 ’ 1 ) 2 and 
( b m — 2 -2 " 1 ) 2 < a < ( b m + 2 -2 ” 1 ) 2 hold as well as 1 < b n and 1 < b m . From this we 
see that 0 < (b m + 2 -2 ” 1 ) 2 — (b n — 2 _2n ) 2 holds. We have that 1 < b m + 2~ 2m -f; 
b n — 2~ 2n holds. Therefore, 0 < b rn + 2 -2 ” 1 — b n + 2~ 2 ” and hence b n — b m < 2 -2 " + 
2_ 2 ™ holds. Similarly, b m — b n < 2 -2 ” 1 + 2~ 2 ” holds. Together this means 
Bf_ 2 n + 2 _ 2 rn(b n ,b m ) holdS. 

Consider the case where n = 0. In this case (bo — 2 -1 ) 2 = -A. Because a < 4, we can 
conclude that < a. We also have that (bo + 2 -1 ) 2 = “ + a + 1, and clearly 
a < ^- + o+l. Finally note that 1 < a, so 1 < bo- 

Suppose that n = m+ 1. Let 6 := 2~ 2 "' and c := ■ Assume by induction that 

( b m — S) 2 <a< (b rn + S) 2 and 1 < b rn . We know 0 < (6 2 , — a) 2 holds and hence 0 < 
(b^, + a) 2 — 4a b 2 n holds. From this we see that a (2 b rn ) 2 < (a + b 2 m ) 2 holds. There¬ 
fore a < c 2 and hence a < ( c + 4“) Because 1 < b m , we know that 

a + ft™ — b m 5 2 < a + b^ — S 2 . Because 6 2 < 1 < b m , we have 0 < a + b m ( b m — 6 2 ) and 
hence (a + b^ — b rn S 2 ) 2 < (a + b 2 rn — S 2 ) 2 holds. We also know that 0 < — 

( b m — 5) 2 ^J b m + S) 2 — a^j, so (a + — <J 2 ) 2 < a (2 b m ) 2 holds. Together we have 

(a + &TO — b m 5 2 ) 2 < a (2 b m ) 2 and hence ^c— < a holds. 

Now we need to show that 1 < b rn+ \ holds. We know 1 < c because 1 < a. There¬ 
fore, by Theorem 11.27, 1 < b rn+ i. 

Because B^(c, b m+ 1) holds and both 1 < c and 1 < b rn+ \ hold, we can can conclude 

that (b m+ 1 — ^ 2 ) 2 < a < (b m+ i + S 2 ) 2 holds from the fact (c — £ 2 ) 2 < a < (c-r <5 2 ) 2 
holds as shown above. □ 

For 0 < a that falls outside the interval [1, 4[, one can find some m: 7L such that 
1 < 4 m a < 4. Therefore, one can define the square root function on the rationals as 

(where x is defined as in Theorem 11.28) 
(for the to : 7L such that 1 < 4 m a < 4). 


VO := 0 
for 1 < a < 4, sfa := x 

otherwise, \fa := ^ 


Theorem 11.29. The function A a. fa~ is uniformly continuous with modulus 

V T o 

\s.s 2 . 





11.5 Improving Efficiency 


By using bind', the square root function can be lifted to the domain 1R. Notice that 
the square root of any negative number will be 0. If one wishes, one could add a 
dependent parameter to the square root that requires a proof that the input is non¬ 
negative (see Definition 11.7). Unlike a proof of positivity, a proof of non-negativity 
contains no constructive information, so a dependent parameter is not required to 
compute the square root. 


11.5.3 More Efficient Polynomials 

Consider the problem of computing 4x (1 — x) for an arbitrary real number x. The 
variable x occurs twice in the expression, so two different approximations for x will 
be computed (in general) to two different precisions. There is potential for some 
savings here. One could instead approximate x only once, to the higher degree of 
accuracy, and use the higher degree of accuracy for both approximations of x. If 
approximating x is an expensive operation, and x occurs several times, then one 
could potentially save a lot of work. 

The above situation occurs whenever a subexpression occurs multiple times in a 
given expression. The solution seems as simple as computing the highest precision 
required for all instances of the subexpression. Unfortunately, it is not always 
straightforward to determine what the highest degree of precision required is. 
According to my definition of multiplication, when multiplying x by (1 — x) the 
degree of precision required for (1 — x) depends on the value of the approximation 
of x in the first term. This sequencing of approximations makes it impossible, in 
general, to find the highest precision requested for x in a given expression. 

Multivariable polynomials form a common class of expressions where variables 
occur multiple times. This class of expressions can be optimized so that each vari¬ 
able is only approximated once. Let p: Q[Xq][X i]...[X„_i] be a multivariable poly¬ 
nomial in n variables. 11 - 2 I use the ellipsis instead of writing out the full recursive 
definition of the type of multivariable polynomials. One can recursively define an 
interpretation of [p] n as a uniformly continuous function Q—>...—> Q —» Q —> Q 
that agrees with the evaluation of \a n _ i... Aao- p(fin -1)... (flo) on the unit hyperin¬ 
terval. The case when n = 0 is trivial: [p] 0 := p. Suppose that [ • J m has been 
defined and consider the case when n = m + 1. Let M be an upper bound of 
\x m ....\xo.\p'(x m )...{xo)\ over the unit hyperinterval, where p' is the formal deriva¬ 
tive of p with respect to X m . The interpretation for the multivariable polynomial p 

is M m+1 ■= A a: (Q. |p^a with a modulus of continuity of Xe. . Once 

defined, the uniformly continuous function can be lifted, using map and ap, in order 
to apply a multivariable polynomial to real numbers. 


11.2. Formally this is really <Q[X][X]...[X], because R[X] is the ring of formal polynomials over R 
for any ring R. The different formal variables are accessed by using a differing number of injec¬ 
tions. X is the outermost variable, i(X) is the second most outer variable, i(i(X)) is the third 
outermost variable, where i: R =>■ R[X] is the natural ring monomorphism. For this informal dis¬ 
cussion I will stick with the traditional mathematics notation. 
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An upper bound on the absolute value of a multivariable polynomial can be com¬ 
puted in a number of ways. One reasonable method is to express the multivariable 
polynomial in the Bernstein basis. The maximum and minimum of the coefficients 
in the Bernstein basis form reasonable upper and lower bounds of the polyno¬ 
mial [Zumkeller, 2008]. This is the method that I use. 

Each variable is only approximated once. The bound on the derivative of p is used 
to compute the modulus of continuity for that particular variable. It is interesting 
to note that after a variable is approximated, it is plugged into the multivariable 
polynomial, and the number of variables is reduced by one. This means the degree 
of approximation required for successive variables depends on the approximation of 
the previous variables. The amount of work required to evaluate a multivariable 
polynomial can therefore depend on the order in which the variables appear. 


11.5.3.1 Implementing More Efficient Polynomials 


Implementing the above interpretation in Coq was more difficult than I had 
expected. Obviously the interpretation is defined recursively. The difficulty comes 


when trying to prove that A a: Q. 
supplying a proof of 


KOI 


is uniformly continuous. This requires 




1K0LHCL 


( 11 . 1 ) 


KOL 1 


The difficulty is that such a proof requires reasoning about 

cannot prove anything about [ ■ ] because it is a recursive call. All that is known 
about [-J to is its type. 

I found no other way than to recursively define an interpretation function of type 


Vp: Q[X 0 ][X 1 ]...[X n . 1 ]3f: ... - Q . Xn (p, /), 

where \n is itself defined recursively as 

Xo (P,f) ■= P=f 

Xm+i{p,f) ■■= Va:Q.x ro ^a^,/(a)^. 

An interpretation function of this type produces a uniformly continuous function / 

of type CQ —> —CQ along with a proof that this function is equivalent to the input 

multivariable polynomial p on the unit hyperinterval. This extra information in the 
type gives enough information about / so that I can prove Equation 11.1 during 
the recursive definition of the interpretation function. 



11.5 Improving Efficiency 


11.5.4 More Efficient Power Series 

A power series converges faster for arguments closer to 0. For sin<q and exp<Q, the 
two equations mentioned before, 

expq(o) x ex Pq(f) 
sin Q (a) x Ssin^d)-dsin^Q), 

can be repeatedly applied to shrink the input arbitrarily close to 0. There is, of 
course, a trade-off between evaluating a polynomial each time such an equation is 
used and having the power series converge faster. The optimal trade-off depends on 
the input and the implementation of the library. At the moment, 1 do not apply 
any of this extra range reduction. 

Unfortunately such nice reductions do not seem to exist for In or tan -1 . 

11.5.5 More Efficient Periodic Functions 

The functions sin and cos are both periodic with period 2n. With a reasonably fast 
implementation of 7r, it is possible to subtract a multiple of 2n to reduce the mag¬ 
nitude of the argument to sin or cos. 

Vn: Z. sin(x) x sin(x — n27r) 

Vn: 7L. cos(x) >; cos(ir — n 2n) 

The best value of n would be The function mapping a; to a nearest integer 

[a;] is not computable for real numbers, but it is computable for the rationals (it 
does not matter which integer — maps to). The approximation —(-) is within — of 
^r’ so | awO] 1S an inte § er within 1 of [ ^ |. which is good enough to use for n. 

One could be even more clever with the symmetries of sin and cos to reduce the 
range further [Lester, 2008], but 1 have only implemented the reductions up to 27r 
described above. 


11.5.6 Summing Lists 

ft is not uncommon to want to sum a list of real numbers. The use of ap in the def¬ 
inition of addition means that to compute x + y within e, one must compute both x 
and y within If one associates the sum of a list of numbers all to one side 
a o + (ai + (... + a n )), the first term ao is only approximated within while the last 
term a n is approximated within 

If one is summing a list with exactly a power of 2 number of terms, then one can 
associate the sum into a balanced binary tree. In this case, all terms will be 
approximated to the same degree; however, to handle more general cases it is useful 
to directly define the sum of n real numbers. 
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Definition 11.30. 0 2q:=Ae. *»(^)- 

Theorem 11.31. The term 0 Xi is a regular function. 


11.6 Correctness 


There are two ways to prove that my functions are correct. One way is to prove 
that they satisfy some uniquely defining properties. The other way is to prove that 
each function is equivalent to a given reference implementation. I have verified that 
my functions are equivalent to the corresponding functions defined in the CoRN 
library [Cruz-Filipe et ah, 2004]. The functions in the CoRN library can be seen to 
be correct from the large library of theorems available about them. The CoRN 
library contains many different characterizations of these functions and new charac¬ 
terizations can easily be developed. 

The CoRN library defines a real number structure as a complete, ordered, 
Archimedean, constructive field. My first step was to prove that my operations 
form a real number structure. I first attempted to directly show that my real num¬ 
bers satisfy all the axioms of a real number structure, but this approach was diffi¬ 
cult. Instead, I created an isomorphism between my real numbers and an existing 
model of the real numbers developed by Niqui [Geuvers and Niqui, 2002]. This was 
a much simpler approach because Niqui’s Cauchy sequence definition and my reg¬ 
ular function definition are closely related. With this isomorphism in place, I 
proved my operations satisfied the axioms of a real number structure by passing 
through the isomorphism and using Niqui’s existing lemmas. Niqui has also proved 
that all real number structures are isomorphic, so I can now create an isomorphism 
between my real numbers and any other real number structure. 

The next step was to prove that my elementary functions are equivalent to the cor¬ 
responding CoRN functions. These theorems are of the form 
d > (/coRN(a:)) ~ f($(x)) where $ is the isomorphism from CoRN’s real numbers to 
my real numbers. 

To aid in converting statements between different representations of real numbers, I 
have created a Coq rewrite database that contains the correctness lemmas (see Sec¬ 
tion 2.2.8.1). By rewriting with this database, expressions can be automatically 
converted from CoRN’s functions into my functions. This database can easily be 
extended with more functions as they are developed. 

The CoRN library was more than just a specification; the library was useful 
throughout my development. For example, I was often able to prove that a differen¬ 
tiable function / is uniformly continuous with modulus Ae. -A when M is a bound 
on the derivative of /. I could prove this because the theory of derivatives had 
already been developed in CoRN, and the isomorphisms allowed me to carry these 
results over to my real numbers. The CoRN library also helped me reduce the 
problem of proving the correctness of continuous functions on R to proving correct¬ 
ness only on (Q. 



11.8 Solving Strict Inequalities Automatically 


Theorem 11.32. Consider f: Q => R. If there is a CoRN differentiable function g 
with derivative g' such that Va: (Q.4>(g(d)) x /(4?(a)) and Vx. \g\x)\ < M, then f is 
uniformly continuous with modulus As. -L. 

Theorem 11.33. If f is uniformly continuous and g is CoRN continuous and 
Vo: Q.4>(g(d)) >; /($(a)), then \/x: lR.4>(si(a;)) >; f($(x)). 


11.7 Timings 

Table 11.1 shows examples of real number expressions that can be approximated. 
Approximations of these expressions were evaluated to within 10 -20 on a 1.4 GHz 
ThinkPad X40 laptop using Coq’s vm_compute command for computing with its 
virtual machine [Gregoire and Leroy, 2002], These examples are taken from 
the “Many Digits” friendly competition problem set [Niqui and Wiedijk, 2005]. 


Coq Expression 

Mathematical Expression | Time | Result | Error 

(CRsqrt (compress (rational_exp (1))* 
compress (CRinv_pos (3#1) CRpi)) )°/ 0 CR 

\/l | 1 sec 1 0.93019136710263285866 1 10~ 2 ° 

(sin (compress (CRpower_positive 3 
(translate (1#1) (compress (rational_exp (1) ) ) ) ) ) )°/.CR 
sin((e + l) 3 ) | 25 sec | 0.90949524105726624718 | 10~ 2 ° 

(exp (compress (exp (compress (rational_exp (1#2))))))'/ 0 CR 

~e^ I 146 sec I 181.33130360854569351505 110" 20 


Table 11.1. Timings of approximations of various real number expressions. 

Keep in mind that these computations are carried out without using machine 
integer support. Everything is done with inductive and co-inductive data types. 


11.8 Solving Strict Inequalities Automatically 

Whether a strict inequality holds between real numbers is semi-decidable. This 
question can be reduced to proving that some expression eo: H is positive. To prove 
eo is positive one must find an s: Q + , such that £ <eo- I wrote a tactic to automate 
the search for such a witness. It starts with an initial S: <Q + , and computes to see if 
eo(<5) — S is positive. If it is positive, then eo(<5) — 6 is such a witness; otherwise 6 is 
halved and the process is repeated. If eo x 0, then this process will never terminate. 
If eo < 0, then the tactic will notice that eo(S) + 5 is negative and terminate with an 
error indicating that eo is negative. I used this tactic when I needed to prove 
2 < e < 3 during my development. 
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This tactic has been combined with the rewrite database of correctness lemmas to 
produce a tactic that solves strict inequalities of closed expressions over CoRN’s 
real numbers. An autorewrite tactic is applied first, which automatically trans¬ 
forms many CoRN functions into equivalent versions of my functions (see Sec¬ 
tion 2.2.8.1 and Section 11.6). If this completes successfully, then it runs my tactic 
above that solves inequalities by computation. This allows users to work entirely 
with CoRN’s real numbers from their perspective. They need never be aware that 
my effective real numbers are running behind the scenes. 

Recently Cezary Kaliszyk has proved that Coq’s classical real numbers (from Coq’s 
standard library) form a CoRN real number structure [Kaliszyk and O’Connor, 
2009], and he has shown that Coq’s elementary functions are equivalent to CoRN’s. 
Now strict inequalities composed from elementary functions over Coq’s classical 
real numbers can automatically be solved. 

The tactic currently only works for expressions composed from total functions. Par¬ 
tial functions with open domains pose a problem because they need constructive 
proof objects. Consider the case of computing ln(x). In reality In has type 
V:c: R.O < x=> 1R, and the proof of 0 < x is a required second parameter. Recall from 
Definition 11.10, that 0 < x contains constructive information. An actual witness 
needs to be extracted from this proof in order to proceed with the computation. 
However, proof objects for CoRN functions are opaque, meaning that witnesses 
cannot be used for computation inside Coq, and Coq’s classical functions have no 
proof objects at all. Thus the required transparent proof object cannot automati¬ 
cally be translated from CoRN functions nor from Coq’s classical functions. How¬ 
ever, the required proof objects are proofs of strict inequalities, so I would like to 
develop a tactic that recursively solves these strict inequalities and creates trans¬ 
parent proof objects. This will allow one to prove strict inequalities over expres¬ 
sions with partial functions such as In. However, such a tactic seems to require 
setoid rewriting inside dependent types. This cannot be done with Coq’s current 
setoid rewriting mechanism. 


11.9 Remarks 


11.9.1 Using this Development 

I envision that the CoRN real numbers will continue to be the primary structure 
used in developments. The CoRN real numbers already come with a wide variety of 
theorems and definitions about them. I expect my real number library to work 
behind the scenes to solve problems. For those cases where real numbers computa¬ 
tion is needed, I expect the problem to be translated from the CoRN real numbers 
to my real numbers. The problem would then be solved by computation, and then 
converted back to CoRN real numbers if necessary. Hopefully, this process can be 
automated most of the time, as was done in Section 11.8, so that the user does not 
even need to be aware of my real number library. 
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11.9.2 Reworking Power Series 

The most significant issue with my implementation is the way that I implement 
power series (Section 11.4). The problem is that the partial series is summed using 
exact rational arithmetic. These sums create rational numbers with large numera¬ 
tors and denominators. In future work, one should explore the possibility of using 
real number arithmetic to compute the partial sums. Even though these sums are 
entirely rational, the ability for real numbers arithmetic to round off intermediate 
results (see compress in Section 11.5.1) could improve the overall efficiency of these 
calculations. 

11.9.3 Regular Functions vs Cauchy Sequences 

I developed regular functions as the most flexible type that I imagined for real 
numbers. I chose this representation because it is the type that reflects how real 
numbers are consumed: real numbers are consumed by asking for an approxima¬ 
tion. On the other side, Cauchy sequences reflect how real numbers are created. 
For example, the real numbers defined by power series (see Section 11.4) can natu¬ 
rally be seen as Cauchy sequences. 

Now that the implementation is complete, it is worth reflecting on the actual types 
behind the real numbers. Real numbers are generated in one of two ways. They are 
either created from a rational number using unit, or they are generated by the limit 
of a power series, which is effectively a Cauchy sequence. The arithmetic operations 
on real numbers simply combine and manipulate these Cauchy sequences and their 
associated moduli of convergences. 

The only exceptional operation is compress. In my implementation, compress effec¬ 
tively turns a real number into a regular sequence, which is a special kind of 
Cauchy sequence. Other potential implementations of compress could be imple¬ 
mented differently, and may not produce Cauchy sequences. 

11.9.4 Haskell Prototype 

Before beginning this formalization effort, I wrote a prototype Haskell module that 
implemented the functions described in this chapter. I wanted to ensure that the 
algorithms I had in mind would be practical for evaluation. This code, entitled Few 
Digits [O’Connor, 2005b], competed in the “Many Digits” Friendly Competi¬ 
tion [Niqui and Wiedijk, 2005] occurring on October 3-4, 2005. Although the code 
did not do particularly well in the contest, finishing eighth out of nine, it still could 
compute thousands of decimal digits within minutes or seconds for many of the 
problems. This performance was satisfactory, and I proceeded with the Coq formal¬ 
ization. 

The formalization effort uncovered a few errors in my prototype. These errors were 
all of the form of forgetting to clamp the input to some interval before function 
application (see Theorem 11.11 for example). Of course, these errors do not occur 
in the Coq formalization. 
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11.9.5 Comparisons With Other Implementations 

Cruz-Filipe implemented CoRN’s library of theorems and functions over the real 
numbers in Coq [Cruz-Filipe, 2004]. He worked with an abstract axiomatization of 
the real numbers, so his constructions can only be executed when given a construc¬ 
tive model of these axioms. Niqui implemented one model of the constructive real 
numbers using a Cauchy sequence representation [Geuvers and Niqui, 2002]. 
Although Cruz-Filipe’s work is constructive, it was never designed for evalua¬ 
tion [Cruz-Filipe and Letouzey, 2006]. Many important definitions are opaque, so 
evaluation cannot be done internally in Coq. Efficiency of computation was not a 
concern during development, so even when programs are extracted from the devel¬ 
opment, computation is slow. Cruz-Filipe showed that it is practical to develop a 
constructive theory of real analysis inside Coq. My work extends this result to 
show that it is possible to develop a theory of real analysis that is also practical to 
evaluate. Cruz-Filipe’s work also forms the reference specification of my work (see 
Section 11.6). 

There have been several implementations of real numbers in Coq using a co-induc- 
tive stream of digits representation. Ciaffaglione developed ring operations using a 
signed binary digits representation [Ciaffaglione, 2003], and Bertot uses a similar 
representation to compute Euler’s constant from its series definition [Bertot, 2007]. 
Most recently, Julien extended this work by implementing a stream of signed digits 
representation for an arbitrary base [Julien, 2008]. These representations allow 
common subexpressions to be easily shared because streams naturally memoize. 
Sharing does not work as well with my representation because real numbers are 
represented by functions. Julien also uses the new machine integers implementation 
in Coq’s virtual machine to make his computations even faster. It remains to be 
seen if using machine integers to implement rational number operations would 
provide a similar boost to my implementation. 

Munoz and Lester implemented a system for approximating real number expres¬ 
sions in PVS [Munoz and Lester, 2005]. Their system uses rational interval analysis 
for doing computation on monotone segments of transcendental functions. Unfortu¬ 
nately, this leads to some difficulties when reasoning at a local minimum or max¬ 
imum, so their system cannot automatically prove 0 < sin(^), for instance. 

Lester created a second implementation in PVS using fast Cauchy 
sequences [Lester, 2008]. The nth approximation in a fast Cauchy has an error of 
at most —. Lester defined several elementary functions. Because PVS works with 
classical mathematics, there is no internal evaluation mechanism like Coq has. 
Instead, the meta-system, in this case LISP, is used to create deductions that 
provide arbitrarily tight rational bounds on real number expressions. 

Harrison implemented a system to approximate real number expressions in HOL 
Light using a representation similar to regular sequences [Harrison, 1998b]. Like 
Lester’s work, his system runs a tactic that externally computes an approximation 
to an expression and generates a proof that the approximation is correct. 



11.9 Remarks 


Jones created a preliminary implementation of real numbers and complete metric 
spaces in LEGO [Jones, 1993]. She represented real numbers as a collection con¬ 
taining arbitrarily small intervals of rational numbers that all intersect. Complete 
metric spaces were similarly represented by using balls in place of intervals. 
Because the only way of getting an interval from the collection is by using the arbi¬ 
trarily small interval property, her representation could have been simplified by 
removing the collection and letting it implicitly be the image of a function that 
produces arbitrarily small intervals. This is similar to my work because one can 
interpret a regular function / as producing the interval [/(e) — e, /(e) +e]. Perhaps 
using functions that return intervals could improve computation by allowing one to 
see that an approximation may be more accurate than requested. 

My work is largely based on Bishop and Bridges’s work [Bishop and Bridges, 1985]. 
Some definitions have been modified to make the resulting functions more efficient. 
My definition of a metric space is more general; it does not require that the dis¬ 
tance function be computable. The original motivation for the distance relation was 
only to develop a theory of metric spaces that did not presuppose the existence of 
the real numbers; however, it allowed me to form a metric space of functions (see 
Section 10.2). This metric space will not, in general, have a computable distance 
function and would not be a metric space according to Bishop and Bridges’s defini¬ 
tion. 


11.9.5.1 Comparison with Classical Reals 

The constructive reals are a different structure than the classical reals. One way of 
defining the classical reals is by starting with classical sequences of rationals. Recall 
that a classical sequence is a binary relation on N and Q satisfying the property 
given in Section 2.2.2. Classical reals can be defined as classical Cauchy classical 
sequences of rationals with the appropriate equivalence relation, where the classical 
Cauchy condition uses a classical existential quantifier. 

Not surprisingly, one cannot, in general, compute approximations of classical real 
numbers like one can with constructive real numbers. There is an injection from 
the constructive real numbers to the classical real numbers, but the inverse of this 
function cannot be constructed. 

All of the developments of real numbers above are developments of the classical real 
numbers except for Cruz-Filipe and Jones’s developments. Even Ciaffaglione, 
Bertot, and Julien’s work is more or less classical, even though they are using Coq. 
Their implementation is constructive, but they use classical real numbers to specify 
the correctness of their algorithms. This makes their work more like the other clas¬ 
sical approaches. 

Rather than using a model of the classical real numbers to verify algorithms, I find 
it better to work with constructive reals which is a theory of the algorithms them¬ 
selves. The theory of the constructive reals is compatible with the theory of the 
classical reals, and working with the constructive reals helps prevent one from being 
distracted by potentially uncomputable real numbers. 





Chapter 12 
Integration over 1R 


In this chapter we develop another example of a complete metric space: the space 
of integrable functions. I define the integrable functions over [0,1] as the completion 
of the space of formal rational step functions on [0,1] with the L 1 metric. Integra¬ 
tion is defined as a uniformly continuous function from rational step functions to 
the rationals. This uniformly continuous function is then lifted to define integration 
from the integrable functions to the real numbers. 

The formal step functions also form a monad (Section 12.1.2) and the completion 
monad distributes over this step function monad (Section 12.1.9). However, rather 
than working with the monad interface for step functions, we find the applicative 
functor interface easier to work with (Section 12.1.3). 

To every uniformly continuous function, we associate an integrable function. This 
allows us to integrate any uniformly continuous function over [0,1] (Section 12.1.7). 
Because this is all developed as constructive mathematics, and because we use my 
efficient real numbers from Chapter 11, this integration can be effectively carried 
out inside Coq. 

Finally we show how, without any additional effort, this work can be extended to 
define a Stieltjes integral (Section 12.1.8). 


12.1 Informal Presentation of Riemann Integration 

We will implement Riemann integration as follows: 

1. Define step functions; 

2. Introduce applicative functors and show that step functions form an applica¬ 
tive functor; 

3. Show that the step functions form a metric space under both the L 1 and L°° 
norms; 

4. Define integrable functions as the completion of the step functions under the 
L 1 norm; 

5. Define integration first on step functions and lift it to operate on integrable 
functions; 


f. Work in this chapter was done in collaboration with Bas Spitters. 
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6. Define an injection from the continuous functions to the integrable functions 
in order to integrate them. 

At the end, we will see that it is natural to generalize our Riemann integral to a 
Stieltjes integral. 


12.1.1 Step Functions 

Our first goal will be to define (formal) step functions and some important opera¬ 
tions on them. For any type A, we first define the inductive data type of (rational) 
step functions from the unit interval to X, denoted by 6(A). A step function is 
either a constant function, const x, for some x: X, or two step functions, /: 6(A) 
and g: 6(A) glued at a point in o, glue ofg, where o must be a rational number 
strictly between 0 and 1. We will sometimes write (const a;) as x, and (glue ofg) as 
f>o<g. 

Definition 12.1. The rules for constructing the inductive data type 6: 

x:X o: ]0,1 [<q /: 6(A) g:6(A) 

consta;:6(A) f \> o<\ g\&{X) 

The elements of this inductive type are intended to be interpreted as step functions 
on [0,1]. The interpretation of x is the constant function on [0,1] returning x. The 
interpretation of / > o < g is / squeezed into the interval [0,o] and g squeezed into 
the interval [o,l]. In this sense / and g are “glued” together. 



f>o<g 


Figure 12.1. Given two step functions / and g, the step function / > o <1 g is / squeezed 
into [0,o] and g squeezed into [o, 1]. 
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Even though we call step functions “functions”, they are not really functions, and 
we never formally interpret them as functions. They are a formal structure that 
takes the place of step functions from classical mathematics. It does not matter 
that our informal interpretation of / > o < g is not well defined at o, because the 
step functions are intended for integration, not for evaluation at a point. 

One can see that this inductive type is a binary tree whose nodes hold data of type 
]0,1 [<q, and whose leaves have type X. We work with an equivalence relation on 
this binary tree structure that identifies different ways of constructing the same 
step function. Informally, this is the equivalence relation induced by our interpreta¬ 
tion; the formal equivalence relation is defined in Section 12.1.4. 

We define two sorts of inverses to glue which we call left-split and right-split. Given 
/: &(X) and a: ]0,1[q we define left-split (written as / ► a : &(X)) and right-split 
(written as a ◄ / : &(X)) as follows: 


Definition 12.2. 

x 

[ J'l ► " (if a < o) 

< fi (if a = o) 

[/*>£<(/»■ (if a>o) 

X 

\ (f ◄ fi) > < fr (if a<o) 

< fr (if a = 6) 

[f -X + fr (if a >6). 

Informally, the left split (/ ► a) takes the portion of / on the interval [0,o] and 
scales it up to the full interval [0,1]. The right split (a ◄ /) does the same thing for 
the portion of / on the interval [o,l]. We have that (/ ► a) I> a < (a ◄ /) >c / holds, 
which means that gluing back the left and right pieces of a step function split at a 
returns an equivalent function back. However, this process does not generally 
return an identical representation. The formal definition of the equivalence relation 
is defined later in Section 12.1.4. 

The inductive type for step functions has an associated catamorphism which we 
call fold. 


x ► a := 


(fl>o<f r )>a 


a<{fi>o<f r ) 


Definition 12.3. 


fold : (x^y)^(]o,i[ Q ^y^y^y)^s(x)^y 

fold:= <^(ie) 

fold(<p, ^>)(/ >o<g) := ip(o, fold(y>, fold(<p, 
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This fold operation is used in many places. For instance, it is used to define two 
metrics on step functions (Section 12.1.5) or to check whether a property holds 
globally on [0,1] (Section 12.1.4). Not every fold respects the equivalence relation 
on step functions, so we need to prove that each fold instance we use respects the 
equivalence relation. 


12.1.2 Step Functions Form a Monad 

The step function type constructor 6 forms a monad similar to the reader monad 
AX. [0,1] => X [Wadler, 1992], The unit of 6 is the constant function, map is defined 
in the obvious way using fold, and the join from ©(©(X)) to ©(X) is the formal 
variant of the join function from the reader monad, join(/)(^) := f(z)(z), which 
considers a step function of step functions as a step function of two inputs and 
returns the step function of its diagonal: 

Definition 12.4. 

join (/) := / 

join(/> o <1 < 7 ) := join(map(Aa;.a: ► o)(/)) t> o < join(map(Aa;.o ◄ 

Rather than use these monadic functions, we use the applicative functor interface 
to this monad. 


12.1.3 Applicative Functors 

Let SOI be a strong monad. To lift a function f: X => Y to a function 9Jt(X) => 
911(F), we use map: (X=> F) => S01(X) => 9H(F). Lifting a function with two curried 
arguments is possible using a similar function map2. However, to avoid having to 
write a function mapn for each natural number n, one can use the theory of 
applicative functors. An applicative functor consists of a type constructor T and 
two functions: 


pure : X=>T(X) 
ap : T(X => F) => T(X) => T(F) 

The function pure lifts any value inside the functor. The ap function applies a func¬ 
tion inside the functor to a value inside the functor to produce a value inside the 
functor. We denote pure (2:) by x , as was done for monads, and we denote ap(/)(x) 
by / @ x. An applicative functor must satisfy the following laws [McBride and 
Paterson, 2008]: 

Iitixv Identity 

B @ u @ u @ w xc u@(v@w) Composition 
f @x xc f(x) Homomorphism 

u@y x evfj @u Interchange 
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Where B and I are the composition and identity combinators respectively (see Sec¬ 
tion 12.2.4) and ev y := Xf. f(y) is the function which evaluates at y. 

Every strong monad induces the canonical applicative functor [McBride and 
Paterson, 2008] where 

pure := unit 

f@x := bind (Xg. map(t/)(a;)) /. 

As the name suggests, every applicative functor can be seen as a functor. Given an 
applicative functor X, we define map: (X => Y) => X(X) => X(X) as 

map (f)(x):=f@x. 

When X is generated from a monad, this definition of map is equivalent to the defi¬ 
nition of map associated with the monad. 


12.1.4 The Step Function Applicative Functor 

The ap function for step functions 6 applies a step function of functions to a step 
function of argument point wise. It is formally defined as follows: 

Definition 12.5. 

/@i := f(x) 

f@(xit>o<\x r ) := (f@xi)>o<\(f@x r ) 

fr)@X := (fl@(x ► o)) t> O < (f r @(o ◄ x)). 

For step functions 6, we denote map(/)(x) by ftfx. This notation is meant to sug¬ 
gest the similarity with the composition operation, which is the definition of map 
for the reader monad AX. [0,1] => X. 

Definition 12.6. The binary version of map is defined in terms of map and ap. 
map2(/)(a, b) := fd'a@b. 


Higher arity maps can be defined in a similar way; however, we found it more nat¬ 
ural to simply use map and ap everywhere. 

We will often use map2 to lift infix operations. Because of this, we give it a special 
notation. 

Definition 12.7. If © is some infix operator such that Xxy.x®y: X =>Y => Z, then 
we define 


f(®)g:= ( Xxy.x®y)d'f@9 , 
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where f:6(X), g:6(Y), and f(®)g:G(Z). 


For example, if f,g: 6(Q) are rational step functions, then f(—)g is the pointwise 
difference between / and g as a rational step function. 

We can lift relations to step functions as well. A relation is simply a function to *, 
the type of propositions. Thus a binary relation oc has a type Xxy.x oc y: 
X => Y => ★ . If we use map2, we end up with an function Xfg.f(oc)g: 
&(X) => 6(F) => S(*). The result is not a proposition, but rather a step function 
of propositions. Classically, this corresponds to a step function of Booleans. In 
other words, ©(*) represents a type of step characteristic functions on [0,1]. 

Each way of turning a characteristic function into a proposition determines a dif¬ 
ferent kind of predicate lifting [Schroder, 2005]. For our purposes, we are interested 
in the one that asks the characteristic function to hold everywhere. The function 
fold* : ©(★) => * does this by folding conjunction over a step function. 


Definition 12.8. fold* := fold (I, Xopq.pAq). 


When this function is composed with map2, the result lifts a relation to a relation 
on step functions. 


Definition 12.9. f{oc}g := fold*(/(oc}<7). 

For example, we define equivalence on step functions by lifting the equivalence rela¬ 
tion on X. 


Definition 12.10. / ~e(x) g ■= f{~x}g- 

Two step functions are equivalent if they are pointwise equivalent everywhere. 

Similarly, we define a partial order on step functions by lifting the inequality rela¬ 
tion on Q. 

Definition 12.11. / <e(<Q) 9 ■= f{ <Q }ff- 

A step function / is less than a step function g if / is pointwise less than g every¬ 
where. 


12.1.5 Two Metrics for Step Functions 

The step functions over the rational numbers, <3(Q), form a metric space in two 
ways, with the L°° metric and the L 1 metric. We first define the two norms on the 
step functions. 



12.1 Ii 


l Pre: 
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Definition 12.12. 

Il/lloo := fold sup (abscT/) 
ll/lli := fold a ffme(abscf/) 

where 

fold sup := fold(I, Xoxy. max (x, y)) 
foldaffine := fold (I, Xox y. o x + (1 — o) y) 

and abs: (Q => Q is the absolute value function on Q. 

The function fold sup : 6(Q) => Q returns the supremum of the step function, while 
the function fold a ffine ; ®(Q) => Q returns the integral of a step function. 

Next, the metric distance between two step functions is defined. 

Definition 12.13. 

:= Il/Hslloo 

d\f,g) := 

Finally, the distance relations are defined in terms of the distance functions. 

Definition 12.14. 

Bf°° (Q \f,g) := d°°(f,g)<e 
Bf m (f,g) := d 1 (f,g)<e. 

Both these metric spaces are prelength spaces. 

When we need to be clear which metric space is being used, we will use the nota¬ 
tion S°°((Q) or S 1 ((Q). 

The two fold functions defined in this section are uniformly continuous for their 
respective metrics. 

fold sup : 6°°(Q)->Q 
fold affine : ©HQ) - Q 

The identity function is uniformly continuous in one direction, t: 6°°(Q) —* 6 1 (Q); 
however, the other direction is not uniformly continuous. 

The metrics S°°(JT) and S 1 (X) can be defined for any metric space X: 

Bf°° {X) (f,g) := fold♦(flfd'/Qg) 

Bf 1 {X \f,g) := 3/i: S((Q+). fo\d+(B x rfh@f@g) A ||h||i < £ 
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We have implemented the generic S°°(X) metric in our formalization. However, for 
the L 1 space, we have only implemented the specific ©*((Q) metric. 


12.1.6 Integrable Functions and Bounded Functions 

The bounded functions and the integrable functions are defined as the completion 
of the step functions under the L°° and the L 1 metrics respectively. 


Definition 12.15. 


:= £o6°° 

1 := Co© 1 . 

In Section 12.1.1, we informally interpreted elements of &(X) as (partially defined) 
functions on [0,1]. Similarly, we can informally interpret each bounded function as 
a (partially defined) function. Consider /: 5B(Q). Define g n := /(“)• Then 
lim g n (x) exists for all points x in [0,1] except perhaps for the (rational) splitting 
points of the step functions g n . At the points where this limit is defined, it is (clas¬ 
sically) continuous. 

To every Riemann integrable function on [0,1] we can associate an element in 3(Q). 
Moreover, functions / and g such that f | f — g \ >; 0 will be assigned to equivalent 
elements in d(Q). This definition can be extended to every generalized Riemann 
integrable function, where a function ft is generalized Riemann integrable if ft„ := 
max (min (ft, n), —n) is integrable for each n and the limit of f h n converges (even 
though h n may not converge pointwise everywhere). Conversely, we can informally 
interpret every element / of 3(Q) as a generalized Riemann integrable function. 
Define g n as the sequence 



By the fundamental lemma of integration [Lang, 1993], g n converges pointwise 
almost everywhere. Let g be this pointwise limit. Then g is a generalized Riemann 
integrable function associated with /. 

The bounded functions have a supremum operation, sup : 58 (Q) —> R and, similarly, 
the integrable functions have an integration operation, f : 3(Q) —> R which are 
defined by lifting the two folds from the previous section (recall Definition 10.14). 


sup(/) := mapc(fold sup )(/) 
Jf : = map(r(fo[daffine) (/) 


Definition 12.16. 



12.1 Informal Presentation of Riemann Integration 


There is an injection from the bounded functions into the integrable functions 
defined by lifting the injection on step functions: t : ©((Q) —> 3(Q). However, there 
is no injection from integrable function to bounded functions. Thus bounded func¬ 
tions can be integrated, but integrable functions may not have a supremum. 


12.1.7 Riemann Integral 

The process for integrating a function is as follows. Given a function /, one needs 
to find an equivalent representation of / as an integrable function and then this 
integrable function can be integrated. We will consider how to integrate uniformly 
continuous functions on [0,1], which is a useful class of functions to integrate. 

We convert a uniformly continuous function to an integrable function by a two step 
process. First, we will convert it to a bounded function, and then the bounded 
function can be converted to an integrable function using the injection defined in 
the previous section. 

To produce a bounded function, one needs to create a step function that approxi¬ 
mates / within s for any value e: Q + . The usual way of doing this is to create a 
step function where each step has width no more than 2 /r/(e)- The value at each 
step is taken by sampling the function at the center of the step. 



0 f 1 0 v, V2 y. l 0 v, Vi y. l 

J S4 map(/)(s4) 


Figure 12.2. Given a uniformly continuous function / and a step function 54 that 
approximates the identity function, the step function map(/)(s 4 ) (or /cfS 4 ) approximates 
/ in the familiar Riemann way. 


When developing the above, it became clear that one can achieve the desired result 
by creating a step function whose values are the sample inputs, and then mapping 
/ over these “sampling step-functions” (see Figure 12.2). In fact, the limit of 
these “sampling step-functions” is simply the identity function on [0,1] represented 
as a bounded function, I[ 0 ,i] : ©(Q) (see Section 12.2.6). Given any uniformly con¬ 
tinuous function /: (Q —> (Q, we can prove that mapeo<>(/): 6°°(Q) —► S°°((Q) is uni¬ 
formly continuous. We can then lift again to operate on bounded functions, 
map',r(mape°o(/)): ©((Q) —> ©(Q). Applying this to I[o,i] yields / restricted to [0,1] 
as a bounded function, which can then be converted to an integrable function and 
integrated. 
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Definition 12.17. f [01] f ■= f (i (mape(map s =°(/))(l [0 ,i]))). 

With a small modification, this process will also work for /: <Q —> R. In this case 
map(/) has type 6(Q) => 6(R), Fortunately, there is an injection dist : 6(R) => 
25 (Q), that interprets a step function of real values as a bounded function (see Def¬ 
inition 12.20). We can prove that the composition dist o (mape(/)): S°°(Q) —» 
B(Q) is uniformly continuous. Then, proceeding in a similar fashion, this can be 
lifted with bind' (recall Definition 10.21) and applied to I[o,i] to yield / restricted to 
[0,1] as a bounded function, which can then be integrated. 

Definition 12.18. / [01] /:=/ (i (bind^disto (map s (/)))(I[o,i]))). 

An arbitrary uniformly continuous function /: R—> R can be integrated on [0,1] by 
integrating / o unite : Q —> R because the Riemann integral only depends on the 
value of functions at rational points. 


12.1.8 Stieltjes Integral 

Given the previous presentation, any bounded function could be used in place of 
I[o,i] - A natural question arises: what happens when I[ 0 ,i] is replaced by another 
bounded function, g: 25 (Q)? An analysis shows that the result is the Stieltjes inte¬ 
gral with respect to g~ x , when g is non-decreasing. 

Definition 12.19. f fdg~ 1 :=J (i(binde(disto (mape(/)))(fl)))- 


We never intended to develop the Stieltjes integral; however, it practically falls out 
of our work for free. This is not quite as general as the Stieltjes integral for three 
reasons. Because g is defined on [0,1], this means that g~ x ' s range must go from 0 
to 1. Essentially, g~ x must be a cumulative distribution function and, hence, g is a 
quantile function. Secondly, because g is a bounded function, </ _1 must have com¬ 
pact support (meaning g~ x must be 0 to the left of its support and 1 to the right of 
its support). Thirdly, our bounded functions can only have discontinuities at 
rational points. 

We have tried to allow g to be an arbitrary integrable function (this would remove 
some of the previous restrictions); however, we have been unable to constructively 
show that dist o (mape(/)): S 1 (Q) => 3(Q) is uniformly continuous when / is. We 
have generated counterexamples where / is uniformly continuous with modulus fi 
and disto (map@(/)) is not uniformly continuous with modulus ji\ however, for our 
particular counterexamples, dist o (map©(/)) is still uniformly continuous with a 
different modulus. 

Still, our integral should allow one to integrate with respect to some interesting dis¬ 
tributions such as the Dirac distribution and the Cantor distribution. 
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12.1.9 Distributing Monads 

The function dist: @(IR) => 'B(Q) combines two monads on metric spaces, £ and 0. 
The function dist has type @(£(Q)) => £(@(Q)). In general, the composition of two 
monads 9Jt o 91 forms a monad when there is a distribution function dist : 
9t(9Jl(X)) —> 9Jt(9T(X)) satisfying certain laws [Beck, 1969]. Below we state the 
laws in a more familiar function style [Jones and Duponcheel, 1993] i 12 - 1 

distomapai(map OT (/)) x mapsrrt(map<n(/)) odist 
distounitai x mapsrrt(unitai) 
disto mapat(unitOT) x units^ 
prod o mapai(dorp) x dorpo prod 

where 

prod := mapOT(join<n) odist 
dorp := joingji 0 mapan(dist). 

Definition 12.20. In our case, the distribution function is defined as 

dist : e°°(C(X)) 

dist(/) := A£.mape°o(Aa;.#(£))(/). 

The function dist maps a step function / with values in the completion of X to a 
collection of approximations f s : to the function / such that for all e in <Q + , 

| / — f £ | < e “pointwise”. 


12.2 Implementation in Coq 

In this section, we treat aspects related to our implementation in Coq. 

12.2.1 Glue and Split 

As discussed in Section 12.1.1, step functions are an inductive structure defined by 
two constructors. One constructor constStepF creates constant step functions, and 
the other constructor, glue, squeezes two step functions together, joining them 
together at a given point o: ]0,1[q. One of the first operations we defined on step 
functions (after defining fold) was Split, which is like the opposite of glue. 
Recall from Section 12.1.1 that, given a step function / and a point a: ]0,1[<q, 
Split splits / into two pieces at a. The functions SplitL and SplitR return the 
left step function and the right step function respectively. Table 12.1 lists the asso¬ 
ciation between our mathematical notation and the concrete syntax used in Coq. 

12.1. For the S and € monads, we formally checked all of these rules apart from the last one 
which was too tedious; however, the correctness of the integral does not depend on the proofs of 
these laws. 
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Mathematical Notation 

Coq Syntax 

X 

constStepF x 

f>o<g 

glue o f g 

/ ► a 

SplitL f a 

a<f 

SplitR f a 

(/ ► a, a ◄ /) 

Split f a 


Table 12.1. The concrete syntax used in Coq for our step function notation. 

The key to reasoning about Split was to prove the Split-Split lemmas: 

ab = c => f>a>bxf>c 
a + b — ab = c => b<a<f^c<f 
a + b — ab = c=>dc = a => (a◄ /) ► d< (/► c) 

This collection of lemmas shows how the splits combine and distribute over each 
other. With sufficient case analysis, one can prove the above lemmas. These 
lemmas, combined with a few other useful lemmas (such as Split-Map lemmas) 
provided enough support to prove the laws for applicative functors without diffi¬ 
culty. 


12.2.2 Equivalence of Step Functions 

The work in the previous section defined an applicative functor of step functions 
over any type X. From this point on, we will require that X be a setoid (see Sec¬ 
tion 2.2.8). In order to help facilitate this, in our development we define new func¬ 
tions, constStepF, glue, Split, etc., that operate on step functions of setoids 
rather than step functions of types. These functions are definitionally equal to the 
previous functions, but their types now carry the setoid relation from their argu¬ 
ment types to their result types. These new function names shadow the old func¬ 
tion names, and the lemmas about them need to be repeated; however, their proofs 
are trivial by using previous proofs. 

Perhaps the biggest challenge we encountered in our formalization was to prove 
that lifting setoid equivalence to step functions (Section 12.1.3) is indeed an equiva¬ 
lence relation—in particular showing that it is transitive. We eventually succeeded 
after creating some lemmas about the interaction between the equivalence relation 
and Split, etc. 


12.2.3 Common Partitions 

When reasoning about two (or more) step functions, it is common to split up one 
of the step functions so that it shares the same partition structure as the other step 
function. This allows one to do induction over two step functions and have both 
step functions decompose the same way. Eventually, we abstracted this pattern of 
reasoning into an induction-like principle. 
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Lemma StepF_ind2 : 

(VSo Si to h: & (X). So x Si => t 0 x fa => 'F(s 0 , t 0 ) => ^(si, ti) ) => 

(Vx:X.Vy:Y. 4>( f, y ))=► 

(Vo. Vs; S r : &(X).\/tit r : &(Y).'&(si,ti) =^^(s r ,t r ) => \F(sj > O < s r , t; > 0 < f r )) =>■ 
Vs:6(X).Vf:6(y). 4-( s, t ). 

This lemma may look complex, but it is as easy to use in Coq as an induction prin¬ 
ciple for an inductive family. Normally one would reason about two step functions 
by assuming, without loss of generality, that they have a common partition, then 
doing induction over that partition. Our lemma above combines these two steps 
into one. In one step, one does induction as if the two functions have a common 
partition. This lemma was inspired by McBride and McKinna’s work on views in 
dependent type theory [McBride and McKinna, 2004b]. It allows one to “view” two 
step functions as having a common partition. 

The lemma is used by applying it to a goal of the form f orall (s t : StepF X), 
<expr>, which can be created by generalizing two step functions. There are only 
two cases to consider. One case is when s and t are both constant step functions. 
The other case is when s and t are each glued together from two step functions at 
the same point. There is, however, a side condition to be proved. One has to show 
that <expr> respects the equivalence relation on step functions for s and t. Fortu¬ 
nately, <expr> is typically constructed from respectful functions, and proving this 
side condition is easy. 

This induction lemma was very useful for proving the combinator equations in Sec¬ 
tion 12.2.4. 


12.2.4 Combinators 

The combinators B and I are preserved by every applicative functor (see Sec¬ 
tion 12.1.3). For the applicative functor S, all lambda expressions are preserved. 
To show this, it is sufficient to show that each of the BCKW combinators are pre¬ 
served. These are the combinators defined by: 

• f(g{x)) (compose) 

• ’■= (interchange) 

• I(x) := x (identity) 

• K(x)(y) := x (discard) 

• W(/) (x) := f{x)(x) (duplicate) 

The identity combinator is redundant because IxW(K), but it is still useful. 

All lambda expressions can be rewritten in a “point free” form using these combina¬ 
tors. Using combinators allows us to reason about the lambda calculus without 
worrying about binders, which are notoriously difficult to do by hand (see Sec¬ 
tion 4.7). 
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Theorem 12.21. The remaining combinators, CKW, are preserved, by the 6 
monad. 


C cf f @x@y x 6 x f@y@x 
'Ktf x@y x S x x 
Wtff@x x 6X f@x@x 

This means that we can lift any function definable with the A-calculus to step func¬ 
tions. 


12.2.5 Lifting Theorems 

During our development, we often needed to prove statements like the transitivity 
of the order relation on the step functions: 

\/fgh: 6(Q). /{<<q}y => g{<<a}h => /{<q}/i 

We would like to deduce this statement from the transitivity of the corresponding 
pointwise relation: 


Wxyz: <Q.x <q y => y <<q z => x <q z 

First, we use a lemma that lifts universal statements about an arbitrary predicate 
R: X =>Y => Z => * to a universal statement about step functions: 

(Vie: X.Vy: Y.Vz: Z.R{x, y, z)) => 

V/: S (X).Vg: 6(F).Vh: &{Z). fold* (Rtf f@g@h) 


This yields 

V fgh: 6(Q). fold*((Aa;y 2 :.a; <<q y => y <q ^ => x <<q z) tf f @ g @ h). 

Next, we would like to “evaluate” the lambda expression as “applied” to the step 
functions /, g, and h. Because /, g. and h are variables, we need to symbolically 
evaluate the expression. We avoid dealing with binders by converting the lambda 
expression into the combinator expression 

S(B(S)(B(B(B(B)(=>)))(<q)))(B(C(B(S)(B(B(=>))(<q))))(< q )) 
tf f@g@h, 

where S := B(B(B(W))(C))(B(B)) and (=>) and (<q) are prefix versions of these 
infix functions. This substitution is sound because the combinator term and 
lambda expression can easily be shown to be extensionally equivalent (by normal¬ 
ization), and map and ap are well-defined with respect to extensional equality. 
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We found the required combinator form by using lambdabot [Bromage and Jager, 
2006], a standard tool for Haskell programmers. It would have been interesting to 
implement the algorithm for finding the combinator form of a lambda term in Coq; 
however, this was not the aim of our current research. 

Now that the lambda term is expressed in combinator form, we can repeatedly 
apply the combinator equations from Section 12.1.3 and Section 12.2.4. These 
equations are exactly the rules of “evaluation” of this expression “applied” to step 
functions. We put these equations into a database of rewrite rules and used Coq’s 
autorewrite system (see Section 2.2.8.1) as part of a small custom tactic to auto¬ 
matically reduce this entire expression in one command, yielding 

Vfgh: S(<Q). fold*(/ (<<q) g (=>) gf (<q)/i). 

Finally, we push the fold* inside. To do so, we have proved a lemma which allows 
us to distribute implication over fold*: 

VPQ: ©(*).(fold* (P <=*) Q)) => fold*(P) => fold*(Q) 

Repeated application of this lemma yields 

Vfgh: 6(<Q). f{< Q }g=> g{<ajh^ f{< Q }h 


as required. 


12.2.6 The Identity Bounded Function 

In order to integrate uniformly continuous functions, we compose them with the 
identity bounded function to create a bounded function that can be integrated (see 
Section 12.1.7). This requires defining the identity bounded function on [0,1]. 

The bounded functions are the completion of step functions under the L°° metric. 
To create a bounded function, we need to generate a step function within e of the 
identity function for every e: Q+. The number of steps used in the approximation 
will determine the number of samples of the continuous function / that will be 
used. For efficiency, we want the approximation to have the fewest number of steps 
possible. Therefore, we defined a function stepSample : positive => 6(Q), where 
positive is the binary positive natural numbers, such that stepSample n produces 
the best approximation of the identity function with n steps. 

It is unfortunate that the width of each step is computed during integration, 
because we know that the result will always be equivalent to — for these particular 
step functions. Perhaps some other data structure for step functions could be used 
that explicitly stores the length of each step. However, the time spent computing 
the length of the interval is usually much smaller that the time it takes to sample 
the continuous function /. 
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12.2.7 Correctness 

We have proved our implementation correct by showing that our Riemann integral 
is equivalent to the definition of the integral in the C-CoRN library [Cruz-Filipe, 
2003]. This library contains many machine verified facts about the Riemann inte¬ 
gral. The correctness is one theorem with a 300-line proof mostly consisting of 
translating facts about the fast implementation of the reals to the C-CoRN library 
and vice versa. The actual proof is quite general because it only uses certain gen¬ 
eral properties of the integral, such as linearity and monotonicity. 

As a by-product of our development, we can also compute the supremum of any 
uniformly continuous function on [0,1]. 


12.2.8 Timings 

The version of Riemann integration that we implemented applies to general contin¬ 
uous functions and hence has bad complexity behavior. If we knew more about the 
function, for instance if it is differentiable, faster algorithms could be used [Edalat, 
1999], 


Function 

Time 

(answer 3 (IntegrateOl Cunit)) 

0.18s 

(answer 2 (IntegrateOl cos_uc)) 

0.52s 

(answer 3 (IntegrateOl cos_uc)) 

8.55s 

(answer 3 (IntegrateOl sin_uc)) 

7.48s 


Table 12.2. Time Eval vm.compute in .. . carries out the reduction using Coq’s virtual 
machine. The expression answer n asks for an answer to within 10 -n . All computations 
where carried out on an IBM Thinkpad X41. 


12.3 Remarks 

Because of the way that I have defined uniform continuity, one modulus of conti¬ 
nuity applies to an entire function. Even for those parts of the domain where the 
function changes slowly, we still must approximate the input to the same precision 
that is needed for those parts where the function changes quickly. This reduces 
performance somewhat for evaluation of these functions (at the segments where the 
function changes slowly), but this causes particularly bad performance for integra¬ 
tion. 

Because we only have a global modulus of continuity, we must use uniform parti¬ 
tions when creating an integrable function from a uniformly continuous function. 
This means that the function is sampled just as often where the function changes 
slowly as where the function changes quickly. This uniform sampling can be quite 
expensive for integration. 
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There is some potential to increase efficiency by using a “non-uniform” definition of 
uniform continuity. That is to say, using a definition of uniform continuity that 
allows different segments of the domain to have local moduli associated with them. 
Ulrich Berger uses such a definition of uniform continuity to define integra¬ 
tion [Berger, 2008]. Simpson also defines an integration algorithm that uses a local 
modulus for a function that is computed directly from the definition of the func¬ 
tion [Simpson, 1998]. However, implementing his algorithm directly in Coq is not 
possible because it relies on bar induction, which is not available in Coq. 




Chapter 13 
Compact Sets 


How should we define what computable subsets of the plane are? Sir Roger Penrose 
ponders this question at one point in his book The Emperor’s New Mind, [Penrose, 
1989]. Requiring that subsets be decidable is too strict; determining if a point lies 
on the boundary of a set is undecidable in general. Penrose gives the unit disc, 
{(*, y) \x 2 + y 2 < 1}, and the epigraph of the exponential function, {(a;, y)\ 
exp(;r) < y}, as examples of sets that intuitively ought to be considered com¬ 
putable [Brattka, 2003]. Restricting one’s attention to pairs of rational or algebraic 
numbers may work well for the unit disc, but the boundary of the epigraph of the 
exponential function contains only one algebraic point. A better definition is 
needed. 

To characterize computable sets, we draw an analogy with real numbers. The com¬ 
putable real numbers are real numbers that can be effectively approximated to 
arbitrary precision. We can define computable sets in a similar way. We need a 
dense subset of sets that have finitary representations. In the case of the plane, the 
simplest candidate is the finite subsets of Q 2 . How do we measure the accuracy of 
an approximation? Distances between subsets can be defined by the Hausdorff 
metric (see Section 13.2). To construct the real numbers, we completed the rational 
numbers (see Definition 11.1). Completing the finite subsets of Q 2 with the Haus¬ 
dorff metric yields the compact sets (see Section 13.3). Because we reason construc¬ 
tively, the generated compact sets can be effectively computed to arbitrary preci¬ 
sion. 

The unit disc is constructively compact; it can be effectively approximated with 
finite sets. When a computer attempts to display the unit disc, only a finite set of 
the pixels can be shown. So instead of displaying an ideal disc, the computer dis¬ 
plays a finite set that approximates the disc. This is the key criterion that Pen¬ 
rose’s examples enjoy. They can be approximated to arbitrary precision and dis¬ 
played on a raster. 

Technically the epigraph of the exponential function is not compact; however, it is 
locally compact. One may wish to consider constructive locally compact sets to be 
computable sets. This would mean that any finite region of a computable set has 
effective approximations of arbitrary precision. 


119 






120 


Compact Sets 


The usual definition of computable sets used in computable analysis says that a set 
is computable if the distance to the set is a computable real-valued function. This 
definition is equivalent to the definition using computable approximations. How¬ 
ever, I believe that defining computable sets by effective approximations by finite 
sets more accurately matches our intuition about sets that can be drawn by a com¬ 
puter. 


13.1 Product Metrics 


Given two metric spaces X and Y, their Cartesian product X x Y forms a metric 
space with the standard sup-metric. 


Definition 13.1. B* xl "((ai, bi), (a 2 , b 2 )) := B* (ai, a 2 ) A (b\, b 2 ). 


The product metric preserves each class of metric space defined in Section 9.3, so 
the product of two decidable metrics is a decidable metric and so forth. Also, the 
product of two prelength spaces is a prelength space. 

The product metric interacts nicely with the completion operation. There is an iso¬ 
morphism between €.{X x Y) and £(X) x €.(Y). One direction I call couple. The 
other direction is defined by lifting the projection functions using map': 

couple : <t(X) x €{Y) —x Y) 
ft : C(IxF)^£(I) 

7f 2 : <L(X xY)^ £{Y) 


Definition 13.2. couple(x, y) := Xe. (x(e), y{e))- 

I denote couple(x, y) by (x, y). The following theorems prove that these functions 
form an isomorphism. 

Theorem 13.3. <L(X x Y) and £(X) x <£(Y) are isomorphic: 

<**(*), ~ z 

{■7f 1 (x,y),Tf 2 (x,y)) x (x,y) 


This isomorphism implies that C is a symmetric monoidal monad. Every symmetric 
monoidal monad is also a commutative strong monad [Kock, 1972], The tensorial 
strength is given by the function strength : X x <£(Y) —> <t(X x Y) defined as follows: 
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Definition 13.4. strength(a, y) := (a, y). 


One could define strength first and then define couple in terms of strength and 
swap : X x Y —>Y x X, but this would lead to a less efficient definition of couple. 
This is why I defined couple directly. 

Tensorial strength should not be confused with functorial strength. Functorial 
strength states that map itself is a morphism. I proved functorial strength in Sec¬ 
tion 10.2. In a Cartesian closed category, tensorial and functorial strength are 
equivalent [Kock, 1972]. However, our category of metric spaces with uniformly 
continuous functions is not Cartesian closed because evaluation is not uniformly 
continuous (see Section 10.3.2). This is why I had to develop the two notions of 
strength separately. 


13.2 Hausdorff Metrics 

Given a metric space X, we can try to put a metric on predicates (subsets) of X. 
We start by defining the Hausdorff hemimetric. A hemimetric is a metric without 
the symmetry and identity of indiscernibles requirement. I define the hemimetric 
relation over X =>■ * as follows. 

Definition 13.5. B) := Vx eA.3y& B. Bf (x, y). 


Notice the use of the classical existential in this definition (see Definition 2.2). In 
general, one does not need to know which point in B is close to a given point in A ; 
it is sufficient to know one exists without knowing which one. Furthermore, there 
are cases when one cannot know which point in B is close to a given point in A. 

This relation is reflexive and satisfies the triangle inequality. It is not symmetric. I 
define a symmetric relation as follows. 

Definition 13.6. B?^*(A,B) := H?^*(A,B) A H?^*(B,A). 


This relationship is reflexive, symmetric, and satisfies the triangle law. Notice that 
if B C A then H^^*(A. B) holds for all e. The hemimetric captures the subset 
relationship. If B C A and A C B (i.e. A X £>), then B^^’*(A, B) holds for all e. 
However, Axiom 5 for metric spaces requires the reverse implication: if B^^*(A, 
B) holds for all e, then we want A ^ B. Unfortunately, this does not hold in gen¬ 
eral. Neither does the closedness property hold as required by Axiom 4. To make a 
true metric space, we need to focus on a subclass of predicates that has more struc¬ 
ture. 
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13.2.1 Finite Enumerations 

A finite enumeration of points from A is represented by a list. A point a; is in a 
finite enumeration if there classically exists a point in the list that is equivalent to 
x. We are not required to know which point in the list is equivalent to x; we only 
need to know that there is one. An equivalent definition is given by structural 
recursion on lists. 


Definition 13.7. 


x G nil := . 

xGcons (y,l) := xxyV xGl. 

We use the classical disjunction (see Definition 2.2) here because the constructive 
union of two or more points may not be complete [Mandelkern, 1988]. To see why, 
consider the set defined by the predicate z e A:= zzz x'V zzz. y given two real num¬ 
bers x, y: R. This predicate represents the set {x. y). If A were complete, then 
max (x, y) G A. However, this would imply that max (x, y) >; x V max (x, y) x y, 
which is equivalent to y < x V x < y. This is well-known to be unprovable. Hence we 
cannot always prove that the constructive union of even two points is compact. 

Because (constructively) finite sets are not necessarily compact, they cannot be 
used as a basis for compact sets. However, when the classical disjunction is used in 
Definition 13.7, the resulting enumerations are always complete and compact. 

Two finite enumerations are considered equivalent if they have exactly the same 
members. 


Definition 13.8. h x l 2 := Vx.x Ghox€l 2 . 


If A is a stable metric space (recall Definition 9.14), then the space of finite enu¬ 
merations over X, (J(A), is also a stable metric space. The Hausdorff metric with 
the membership predicate defines the distance relation. 


Definition 13.9. Bf x \h,l 2 ) :=B x ^*(Xx.xGh,Xy.yGl 2 ). 


This distance relation is both closed (Axiom 4) and is compatible with our equiva¬ 
lence relation for finite enumerations (Axiom 5), so this truly is a metric space. 
The proof that the distance relation is closed relies crucially on stability at one 
point (see Section 13.2.2). 

If A is a located metric space, then S'(A) is also a located metric space. However, 
to prove that #(A) is a prelength space, I need to assume that A is both a pre¬ 
length space and a located metric space. I believe that if a classical existential was 
used in the definition of prelength space (see Section 9.5.5), then one could prove 
that j?(A) is a prelength space without assuming that A is a located metric space. 
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Finite enumerations also form a monad (although I have not verified this in Coq). 
The unit : X => SIX) function creates an enumeration with a single member. The 
join : J((J(X)) => $(X) function returns the finite union of finite enumerations. The 
map: (X => Y) => ($(X) => $(Y)) function takes a function f: X => Y and replaces 
every element x from a finite enumeration with f{x). 


13.2.2 Mixing Classical and Constructive Reasoning 

The proof that the distance relation for finite enumerations is closed makes essen¬ 
tial use of classical reasoning. Given e, suppose that B^ x '(l\. I2) holds whenever 
e < 8. We need to show that B^ x \li, I2) holds. By the definition of the metric, 
this requires proving (in part) \/x G l\. By G l 2 - B x {x, y). From our assumptions, we 
know that \/x G h- By G l 2 . Bf(x, y) holds for every 8 greater than e. If I had used a 
constructive existential in the definition of the Hausdorff hemimetric, we would 
have a problem. Each different value 8 could produce a different y witnessing 
Bf(x, y). In order to use the closedness property from X to conclude B^(x. y), 
we need a single y such that B x (x, y) holds for all 8 greater than e. Classically we 
would use the infinite pigeon hole principle to find a single y that occurs infinitely 
often in the stream of ys produced from 8 G je + i | n: N+j. Such reasoning does 
not work constructively. Given an infinite stream of elements drawn from a finite 
enumeration, there is no algorithm that will determine which one occurs infinitely 
often. 

Fortunately, because I used classical quantifiers in the definition of the Hausdorff 
metric, we can apply the infinite pigeon hole principle to this problem. We classi¬ 
cally know there is some y that occurs infinitely often when 5 G je + i | n: N+j, 
even if we do not know which one. For such y , Bf(x, y) holds for <5 arbitrarily 
close to s, and therefore Bf (x, y) must hold for all 5 greater than e. By the closed¬ 
ness property for X, B?(x. y) holds as required. The other half of the definition of 
B^ X \h,l 2 ) is handled similarly. 

Recall from Chapter 2 that the classical fragment of constructive logic requires that 
proof by contradiction hold for atomic formulas in order to deduce the rule 
•sya =G ip. Because B^(x, y) is a parameter, we do not know if it is constructed 
out of classical connectives. To use the classical reasoning needed to apply the 
pigeon hole principle, we assume that ->->B^-(x, y) =» B?(x, y) holds. This is the 
crucial point where stability of the metric for X is used. 


13.3 Metric Space of Compact Sets 


Completing the metric space of finite enumerations yields a metric space of com¬ 
pact sets. 
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Definition 13.10. £:=<£o£. 


The idea is that every compact set can be represented as a limit of finite enumera¬ 
tions that approximate it. In order for a compact set to be considered a set, we 
need to define a membership relation. The membership is not over X, because 
compact sets are supposed to be complete and X may not be a complete space 
itself. Instead, membership is over (£(X), and it is defined for x: C(X) and S: A(X) 
as follows: 


Definition 13.11. x e S := Veq £2- 3y G «S(e 2 ). B^ 1+£2 (x(ei), y). 

A point is considered to be a member of a compact set S if it is arbitrarily close to 
being a member of all approximations of S. Thus A(X) represents the space of 
compact subsets of <£(X). 


13.3.1 Correctness of Compact Sets 

Bishop and Bridges define a compact set in a metric space A - as a set that is com¬ 
plete and totally bounded [Bishop and Bridges, 1985]. In my framework, we say a 
predicate A: X => * is complete if whenever x : C(X) is made from approximations 
in A, then x is in A: 


Vx: £(X) . (Ve. x(e) € A) =>3z e A. z x 

A set B: X =>■ * is totally bounded if there is an e-net for every e: Q + . An e-net is a 
list of points l from B such that for every x G B there (constructively) exists a point 
z that is constructively in l and B Y (x, z ). Bishop and Bridges use the strong con¬ 
structive definition of list membership that tells which member of the list the value 


Ve: Q+. 31: list X. (V® e l.x € B) A (V® € B. 3 z e l. B Y (x,z)) 

Does my definition of compact sets correspond with Bishop and Bridges’s defini¬ 
tion? The short answer is yes, but there is a small caveat. My definition of metric 
space is more general than the one that Bishop and Bridges use. Bishop and 
Bridges require a distance function d: X => X =>■ 1R. My more liberal definition of 
metric space does not have this requirement. I have verified that my definition of 
compact is the same as Bishop and Bridges’s, assuming that X is a located metric 
(see Definition 9.12). If a metric space has a distance function, then it is a 
located metric. Thus, my definition of compact corresponds to Bishop and 
Bridges’s definition of compact for those metric spaces that correspond to Bishop 
and Bridges’s definition of metric space. 
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We prove that the two definitions are the same by constructing an isomorphism 
between the two structures. This requires constructing two functions, one that 
maps our compact sets to Bishop-compact sets and another that maps Bishop-com¬ 
pact sets to our compact sets. 

The two definitions are fairly similar. The major difference is that the points in 
Bishop’s e-nets must be members of the compact set. On the other hand, it is pos¬ 
sible that none of the points in my e-approximations are actually part of the com¬ 
pact set. 

Defining the function from Bishop-compact sets to our compact sets is fairly easy. 
Given a Bishop-compact set S, we can define the e-approximation by first finding a 
|~net, and then approximating each of the points in the net to within The result 
is a list of points in X that when interpreted as a finite enumeration is within e of 
the compact set that S represents. These approximations are coherent; therefore, 
the function producing these finite sets is a regular function, so it is a compact set. 
Computing the Bishop-compact set given a compact set S is more difficult. We 
need to prove that this set is complete and totally bounded. Proving that it is com¬ 
plete is easy. Proving that it is totally bounded is the difficult part. We need to 
construct an e-net that contains points from S, but our approximations generally 
do not lie inside S. To construct the e-net, we start by computing a hi-approxima- 
tion as our seeds. For each seed, we will construct a new point in <£(X) that is a 
member of the compact set S, and within 7 of its seed. By choosing 8\ and 7 such 
that <5i + 7 < e, the list of constructed points will be an e-net. 

Given a point from a (^-approximation of S, we would like to select a point inside 
the fehi-approximation of <S that is within hi + k8\ of the first point. Classically we 
know such a point exists because the approximations are coherent (Definition 13.5); 
however, we don’t know which point it is. Without a decidable metric (Defini¬ 
tion 9.11), we cannot search the list to find the point. 

To overcome this we use the assumption that X is a located metric (Defini¬ 
tion 9.12). Using locatedness we still cannot search for a point within c>i + k5 \, but 
we can search for a point within <5i + k8\ + 82- 

With a suitable point in the fc hi-approximation of S found, we can repeat the 
above procedure to find a point in the /hhi-approximation that is within 
k8\ + k 2 Si + kd-2 of our second point. By repeating this procedure and taking the 
limit, a point y: €(X) is constructed that is within <?1 + L fc f 1 fc + 62 of the initial point 
from the hi - ap p r ox i m a t i o n. Furthermore, y is in the compact set because it is con¬ 
structed from points that are drawn from finer and finer approximations of S. 

Using the above procedure we can map every point in the in the hi-approximation 
to new point from S. These new points form a ^<5i + 82 + Sl S ' 2 j-net because 
for every point x in the set S we can find some point z in the ^-approximation 
that is within <5i + 82 of x and the point in our net generated from the seed z is 
within Sl i-Ml-t 52 0 f z . By choosing suitable values for hi, 82, and k, we can ensure 

that ^<5i + 82 + &1 ° 2 ) — U and hence our net is an e-net. For concreteness, in 

my construction 1 chose k := i, hi := S-, and 82 := (t. 
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Thus our compact sets are interpreted as a totally bounded and complete set, and 
hence correspond to a Bishop and Bridges style compact set. To complete the proof 
that our two notions are isomorphic, we need to show that composing the functions 
to and from Bishop-compact sets and to and from my compact sets yield the iden¬ 
tity function. This proof is straightforward. 


13.3.2 Distribution of ^ over £ 

Recall that composition of two monads, 21 o ©, forms a monad when there is a dis¬ 
tribution function dist : ®(2l(X)) —> 2l(f8(A')) satisfying the laws given in Sec¬ 
tion 12.1.9. For compact sets, &(X) := (£ o $)(X), the distribution function dist : 
$(£(*)) - £($(*)) is defined by 

Definition 13.12. dist(Z) := Ae. map^(Aa;.a;(e))(Z). 

This function interprets a finite enumeration of points from <£(X) as a compact set. 
Thus & is also a monad. 13 - 1 


13.3.3 Compact Image 

One can define the compact image of a compact set S: fi(X) under a uniformly 
continuous function / : £(X) —> £(Y), by recalling that / denotes bind(/), and by 
noting that applying / to every point in a finite enumeration is a uniformly contin¬ 
uous function, mapy(/): $(X) — * Composing this with dist yields a uni¬ 

formly continuous function from finite enumerations $(X) to compact sets A(Y). 
Using bind (Definition 10.18), this function can be lifted to operate on &(X). The 
result is the compact image function. 

Definition 13.13. / f <S := bindc(disto mapy(/))(«S). 

Although Bishop and Bridges would agree that the result of this function is com¬ 
pact, they would not say that it is the image of S because one cannot construc¬ 
tively prove 

My. y e / \ S => 3x e S. f(x) x y. 

Instead, they would consider f \ S to be the closure of the image of S under /. In 
constructive analysis, the image of S under /, namely Ay.Bx € S. f(x) x y, is not 
necessarily compact [Mandelkern, 1988]. Consider /: Bool => 1R where /(true) := x 
and /(false) := y given two real numbers xy: It. The Booleans are compact (using 
the discrete topology), but the image of / may not be provably compact for the 
reason given in Section 13.2.1. 


13.1. I have not yet verified the distribution laws for the 5 and £ monads, but the laws are not 
needed for any of the proofs in my work. 
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I believe one can prove (but I have not verified this in Coq) the classical statement 
My. y £ / \ S => 3x £ S. f(x) x y. 

When / is injective, as it will be for our graphing example in Section 13.4.1, the 
constructive existential statement holds. 


13.4 Plotting Functions 

There are many examples of constructively compact sets. This section illustrates 
one application of compacts sets: plotting functions. 


13.4.1 Graphing Functions 

Given a uniformly continuous function / : £(X) —> Gi(Y) and a compact set 
V: &(X), the graph of the function over V is the set of points {(ar, f(x)) \ x £ V}. 
This graph can be constructed as a compact set G(V, /): Si(X x Y). A single point 
is graphed by the function g(f)(x) := (x, f(x)). This function is uniformly contin¬ 
uous, g(f): X —> C(X x Y). The graph G(D . /) is defined as the compact image of 
V under g{f). 

Definition 13.14. G(D , /) := g(f) \V. 


13.4.2 Rasterizing Compact Sets 

Given a compact set in the plane S: fi(Q x Q), we can draw an image of it, or 
rather we can plot an approximation of it. This process consists of two steps. The 
first step is to compute an e-approximation l := <S(e). The finite enumeration l is a 
list of rational coordinates. The next step is to move these points around so that 
all the points lie on a raster. A raster is simply a two dimensional matrix of 
Booleans. Given coordinates for the top-left and bottom-right corners, a raster can 
be interpreted as a finite enumeration. Using advanced notation features in Coq, a 
raster can be displayed inside the proof assistant [Stein, 2003]. Most importantly, 
when the constructed raster is interpreted, it is provably close to the original com¬ 
pact set. 


13.4.3 Plotting the Exponential Function 

Given a uniformly continuous function / : R—> R and an interval [a, b], the graph of 
/ over this compact interval is a compact set. The graph is an ideal mathematical 
curve. This graph can then be plotted yielding a raster that when interpreted as a 
finite enumeration is provably close to the ideal mathematical curve. 
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ball (m:=Compact stableQ2) (324 # 2592) 

graphCR (boundBelow 0 ° boundAbove 3 ° exp bound uc 1) [- (6) .. 1] 
(Cunit 

(- (6), 3)k 



*< 1 . 0 )) 

Figure 13.1. A theorem in Coq stating that a plot on a 42 by 18 raster is close to the 

graph of the exponential function on [—6,1]. 

Figure 13.1 shows a theorem in Coq that states the (ideal mathematical) graph of 
the exponential function (which is uniformly continuous on (—oo, 1]) restricted to 
the range [0, 3] on the interval [—6, 1] is within (which is equivalent to i) of 
the finite set represented by raster shown with the top-left corner mapped to 
(—6, 3) and the bottom-right corner mapped to (1, 0). The raster is 42 by 18, so, by 
considering the domain and range of the graph, each pixel represents a ^ by ^ 
square. The error between the plot and the graph must always be greater than half 
a pixel. I chose an e that produces a graph with an error of | of a pixel. In this 
case ^ i = i, which is the error given in the theorem. 

There is one small objection to this image. Each block in the picture represents an 
infinitesimal mathematical point lying at the center of the block, but the block 
appears as a square the size of the pixel. This could be fixed by interpreting each 
block as a filled square instead of as a single point. This change would simply add 
an additional - pixel to the error term. This has not been done yet in this early 
implementation. 


13.5 Alternative Hausdorff Metric Definition 

There is another possible definition for the Hausdorff metric. One could define the 
Hausdorff hemimetric as 


B) := Vx e A.^5.By € B. B? +S (x, y). 
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The extra flexibility given by the <5 term also allows one to conclude that there is 
some y £ B that is within £ of x without telling us which one (again, it may be the 
case that we cannot know which y is the one). Our original definition H^ => *(A. B) 
is implied by H'f^’*(A, B); however, the alternative definition yields more con¬ 
structive information. 

The two definitions are equivalent under mild assumptions. When X is a located 
metric, then H^^*(A, B) => {A. B). This is a very common case and allows 

us to recover the constructive information in the H' version from the H version. 
This was implicitly done in the proof from Section 13.3.1 

The constructive existential in the definition of H' would make the resulting metric 
not provably stable. It is somewhat unclear which version is the right definition for 
the constructive Hausdorff metric. The key deciding factor for me was that I had 
declared the distance relation to be in the Prop universe (see Section 2.3.2). This 
means that even if I used the H' definition in the Hausdorff metric, its information 
would not be allowed by Coq to construct values in Set. For this reason, I chose 
the H version with the classical quantifiers for the definition of the Hausdorff 
metric. Values with classical existential quantifier type have no information in them 
and naturally fit into the Prop universe. 


13.6 Compactness and Computability 


Warning: This section contains a philosophical discussion of the merits of construc¬ 
tive language over the language of classical computation theory. The mathematics 
used in this section serve to illustrate my position. I have no guarantees about the 
accuracy of the images; I have made no formal, nor informal proofs of the conver¬ 
gence of Equation 13.1 below, and I cannot guarantee that the constructive formula 
in Equation 13.2 is correct. However, I believe that the images are reasonably accu¬ 
rate and the formulas are correct and could be formalized. 

Is there a computer program that outputs 1 if the Riemann hypothesis is true and 
outputs 0 if the Riemann hypothesis is false? This is a common puzzle posed in 
computer science courses on the theory of computation. The classical solution to 
this puzzle is, Yes! Consider two programs, one that outputs 0 and another that 
outputs 1. One of these two programs satisfies the specification, so a computer pro¬ 
gram does exist even if we don’t know which one. 

This sort of paradoxical result is due to the language of classical logic that is used 
in classical computation theory. If we phrase the same question in terms of con¬ 
structive mathematics, we ask, “does RH V -iRH hold?” where RH is the statement 
of the Riemann hypothesis. Now we must answer, “We don’t know,” which is the 
expected answer. 
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One might dismiss this as a silly example that everyone understands after encoun¬ 
tering it once and it is no longer a concern after that. However, this problem with 
the language of classical computation theory can potentially appear in far more 
subtle places. 

Consider, for example, Braverman and Yampolsky’s theorem that all filled Julia 
sets are computable [Braverman and Yampolsky, 2009]. Yet, there are Julia sets 
that we do not know how to compute. Let us focus on quadratic polynomials 
p c (z ) := z 2 + c for this example. Let K c be the filled Julia set for the polynomial p c . 
Classically, the set K c is a compact subset of C that can be defined as follows: 

z£K c :=3M.\/n:N.\p { ?\z)\<M 

This means that the set K c contains all the complex numbers z such that all the 
iterations of 0 under p c remain bounded. Classically, a compact set A is said to be 
a computable subset of the real plane when there exists a computable function 
/: N =>• ]J(Q 2 ), such that d(f(n), A) < 2~ n using the Hausdorff metric. 13 - 2 In other 
words, A can be drawn on any arbitrarily high resolution raster display by a single 
program (note the similarity with my definition of constructively compact sets). 
When we say K c is computable, we are identifying C with the real plane in the 
usual way. 

We are going to construct an example of a computable filled Julia set that we do 
not know how to compute. We are going to do this by creating a Brouwerian coun¬ 
terexample [Richman, 1983]. Let Vn: N. V(n) be your favourite unsolved Hi 
problem. For concreteness, I will take t?(n) := -i?(n) where <r(n) states that when n 
is considered as an ASCII file, it contains a valid Coq proof of False from no 
axioms and without using the tactic language (only (co-)inductive declarations and 
definitions allowed). This means that Vn: N.i?(n) states that Coq is consistent. I 
have chosen this example because, by the second incompleteness theorem (see Sec¬ 
tion 7.6), Coq cannot prove this statement (unless Coq is inconsistent). 

Consider the sequence g: N => R where go := \ and g n +1 is the unique solution in 
[0, p n ] such that 



The sequence g is strictly decreasing and has a limit of 0. The sequence is con¬ 
structive because P^_ g — § 1S a polynomial in g n , so its roots can be con¬ 
structed [Geuvers et al., 2002]. 

Define e: 1R, to be the regular function 

e(e) := inf ({po} U {p n +i | £ < Pn+i A Vra.m < n=> $(rn)}). 

13.2. This definition of computable is somewhat different than the one given by Braverman and 
Yampolsky, but it is equivalent. 



13.6 Compactness 


Computability 
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The value e is a well-defined constructive real number, because {Q n + 11 e < Q n + 1} is 
a finite set, and Vm.m < n => 'd(rn) is a decidable predicate. If Coq is consistent, 
then e x 0. If Coq is inconsistent, then ex where n is an ASCII encoding of a 
proof of False. According to Braverman and Yampolsky’s theorem, /Ci +e is a com¬ 
putable filled Julia set, because all filled Julia sets are computable. Consider Figure 
13.2. If Coq is consistent, then XA +e is approximately the image on the left, and if 
Coq is inconsistent, then £1 is approximately the image on the right. 13 - 3 How¬ 
ever, just like the previous Riemann hypothesis puzzle, we do not know which 
image is correct. The language of classical computation theory misleads us again, 
and this time it is not with a result that is trivial enough to dismiss as a harmless 
puzzle. 



Of course, Braverman and Yampolsky do not mislead their readers. They make 
themselves perfectly clear that the filled Julia sets are not uniformly computable. 
However, the fact that they need to go through hoops to clarify their result serves 
to illustrate the deficiency of the language of classical computation. 


13.3. These images were generated by the program Mandel 5.2 [Jung, 2008], which does not use a 
correct algorithm. It instead estimates the image and uses floating point calculations. I make no 
guarantee of the accuracy of these images, but they are presumably reasonably accurate. If one 
used the algorithms given by Braverman and Yampolsky, then “loops” “inside” the right hand 
image would not get drawn until e had been computed to sufficient accuracy to prove that Coq is 
inconsistent. In order to generate a reasonable image for this case, I have carefully chosen the 
sequence Q n so that Ki , converges more uniformly [Douady, 1994]. This allows me to approxi¬ 
mate Ki |_ e for large n by for small n. I have not computed the modulus of convergence 

and simply used an n that seems to be large enough to give accurate results for the resolution 
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Compact Sets 

13.6.1 A Constructive Approach to Filled Julia Sets 

Suppose that Braverman and Yampolsky used the language of constructive mathe¬ 
matics instead. How would they present their results? Instead of asking if a com¬ 
pact set was classically computable, they would simply ask, “Is every filled Julia set 
(constructively) compact?”. Instead of concluding, “Yes”, their work would result in 
a theorem such as: 

Vc: C. ( p c has an attracting orbit 

V p c has a parabolic orbit 

V p c has a Siegel orbit (13.2) 

V p c has a Cremer orbit 

V all orbits of p c are repelling ) => 1C C is compact 

The constructive result clearly states, right in the theorem, exactly the extra infor¬ 
mation beyond the value of c that is needed to compute K c . One does not need to 
go fishing through the proofs to get this information (as is needed for the classical 
theorems). Note that a proof of the big disjunction in the hypothesis of the the¬ 
orem contains more information than simply which clause holds. Each clause con¬ 
tains constructive details about the particular type of orbit. 

According to classical mathematics, the big disjunction is true and can be removed 
from the hypothesis. However, because of the discontinuity of Ac. K c at various 
points, the theorem Vc: C. K c is compact cannot be constructed. 

The constructive theorem cannot be used to prove that K, i +e is compact in Coq. 
Coq cannot prove (pi +e is parabolic V all orbits of Pi +f are repelling^—all the 
other clauses are provably false—because such a theorem would contradict the 
second incompleteness theorem (unless Coq is inconsistent). This corresponds to 
our understanding that we do not know how to compute /Ci , g . However, we can 
prove 

(Coq is consistent V Coq is inconsistent) =>/Ci +e is compact. 

This example illustrates how the constructive formulation better conveys com¬ 
putability results than the language of classical computability theory. 






Chapter 14 
Conclusion 


The major goal of this part was to develop an effective implementation of real num¬ 
bers that is efficient enough to be used for computation inside a proof assistant. I 
approached this problem by first creating a generic completion operation on metric 
spaces. I needed to create a completion operation that was independent of the real 
numbers. This naturally led to defining metric spaces using a distance relation (see 
Chapter 9). This definition is more general than the one given by Bishop and 
Bridges [Bishop and Bridges, 1985]. 

I showed that the completion operation has a familiar monad structure (see 
Chapter 10), and I used these monad operations to define functions on complete 
metric spaces. The monad operations nicely separate the problem of defining func¬ 
tions on complete spaces into two separate parts: defining the operation on the 
underlying dense space and then proving that the definition is uniformly contin¬ 
uous. 

I defined the real numbers as the completion of the rational numbers (see 
Chapter 11). I defined various elementary functions on the real numbers and 
showed that they can be implemented efficiently enough to allow real numbers to 
be approximated inside the Coq proof assistant. I used my efficient real numbers to 
build a simple tactic for proving strict equalities between real number expressions. 

With the major goal achieved, I then looked at other applications of the completion 
operation. I defined the integrable functions as the completion of the rational step 
functions under the L 1 metric (see Chapter 12). I defined Riemann integration of 
uniformly continuous functions by converting them to integrable functions. We saw 
that this definition was easy to extend to define Stieltjes integration. 

The other application of the completion operation was for compact sets. I defined 
the compact sets as the completion of the finite sets under the Hausdorff metric 
(see Chapter 13). The generated compact sets were effective and could be plotted 
inside the Coq proof assistant. I showed how to plot uniformly continuous func¬ 
tions and use these plots in theorems to prove that the plots accurately represent 
the graph of the function. 

The development of compact sets also showed how one can mix classical and con¬ 
structive reasoning. I used the classical infinite pigeon hole principle to prove the 
closedness property of the metric (see Section 13.2.2). I estimate that 80% of the 
time developing constructive analysis, one is in a context where classical reasoning 
can apply. For example, when your (sub-)goal is to prove that x x y for two real 
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Conclusion 


numbers x and y, then that goal is stable and you are allowed to perform classical 
case analysis on y < z V z < y or any other classical disjunction or existential (see 
Theorem 2.3 and Theorem 2.4). Even when developing constructive theorems, one 
usually provides a witness early in the proof and classical reasoning can be used for 
the remaining goal. 
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Samenvatting 


Onvolledigheid & Volledigheid: 

Formalisatie van Logica en Analyse in Typetheorie 

Dit proefschrift omvat twee bewijsontwikkelingen in de constructive typetheorie: 
een bewijs van de eerste onvolledigheidsstelling van Godel en een ontwikkeling van 
exacte reele rekenkunde. Ik werk in een constructieve typetheorie, omdat dit sys- 
teem de unieke mogelijkheid heeft om afhankelijk getypeerd programmeren vrij te 
combineren met bewijzen in natuurlijke deductie. Door het Curry-Howard isomor- 
fisme gebruiken deze twee taken precies dezelfde taal. Het programmeeraspect en 
het bewijsaspect van deze taal ondersteunen elkaar. Bewijzen worden gebruikt voor 
het certificeren van de correctheid van functies, en correcte functies kunnen worden 
geevalueerd in bewijzen om problemen op te lossen. 

Hoofdstuk 1 en Hoofdstuk 2 introduceren het onderwerp van mijn proefschrift en 
geven een korte introductie tot de soort typetheorie die ik zal gaan gebruiken. 
Beide ontwikkelingen zijn geformaliseerd met de Coq bewijs-assistent, een imple- 
mentatie van constructieve typetheorie. Ik toon hoe klassieke logica kan worden 
gezien als een fragment van constructieve logica, zodat klassiek redeneren ook 
wordt ondersteund in constructieve typetheorie. 

In deel I beschrijf ik mijn ontwikkeling van de eerste onvolledigheidsstelling van 
Godel. Het begint met Hoofdstuk 3, dat een korte inleiding en een beschrijving van 
de onvolledigheidstelling geeft. 

De beschrijving van mijn formele bewijzen begint in Hoofdstuk 4, waarin ik mijn 
datastructuur voor eerste orde formules en mijn datastructuur voor bewijzen in de 
eerste-orde logica beschrijf. Ik definieer twee axiomasystemen: Peano’s rekenkunde 
en een zeer zwak rekenkundig systeem, genaamd NN. Deze interne logica is klas¬ 
siek, terwijl de logica van Coq constructief is. Ik heb gekozen voor een traditionele 
definitie van substitutie in formules waarin gebonden variabelen hernoemd worden 
om te voorkomen dat vrije variabelen worden gebonden. Deze keuze veroorzaakt 
veel problemen door het hele bewijs. 

Hoofdstuk 5 bespreekt hoe ik verschillende structuren als natuurlijke getallen 
codeer en hoe ik aantoon dat de functies die op deze structuren werken voorgesteld 
kunnen worden door rekenkundige formules. In plaats van de hoofdstelling van de 
rekenkunde, zoals Godel oorspronkelijk gebruikte, gebruik ik recursief Cantor’s 
paringsfunctie om de abstracte syntaxbomen van formules en bewijzen te coderen. 
In Sectie 5.2, definieer ik een taal voor primitief recursieve functies. Ik heb primitief 
recursieve programma’s geschreven voor alle benodigde functies op formules en 
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bewijzen. Ik bewijs dat deze primitief recursieve programma’s correcte representa- 
ties van de oorspronkelijke Coq functies zijn. In Sectie 5.4, beschrijf ik mijn bewijs 
dat alle primitief recursieve functies voorgesteld kunnen worden door rekenkundige 
for mules. 

Hoofdstuk 6 geeft mijn formele uitspraak van de onvolledigheidsstelling. Ik bewijs 
dat het systeem NN wezenlijk onvolledig is. In het bijzonder is Peano’s rekenkunde 
onvolledig, omdat ik ook bewijs dat Peano’s rekenkunde consistent is door aan te 
tonen dat de natuurlijke getallen van Coq een model van Peano’s rekenkunde 
vormen. Tenslotte, geeft Hoofdstuk 7 een paar slotopmerkingen over dit bewijs en 
beschrijft wat nog meer nodig zal zijn om de tweede onvolledigheidsstelling te 
bewijzen. 

In deel II, beschrijf ik mijn implementatie van exacte reele rekenkunde door eerst 
een algemene implementatie van volledige metrische ruimten maken. Dit deel 
begint met Hoofdstuk 8, dat een korte inleiding en achtergrondinformatie over 
Bishop en Bridges’s benadering van de reele getallen geeft [Bishop and Bridges, 
1985]. 

Hoofdstuk 9 introduceert mijn formele definitie van een metrische ruimte en ver- 
schillende classificaties van metrische ruimten met extra eigenschappen. Uniform 
continue functies tussen metrische ruimten worden gedefinieerd. Zij spelen een cen- 
trale rol in dit werk. 

Hoofdstuk 10 definieert de completeringsoperatie die een volledige metrische ruimte 
maakt uit een willekeurige metrische ruimte. Ik toon aan dat deze completeringso¬ 
peratie de vereiste eigenschappen heeft om er een monad van te maken. Ik definieer 
operaties die uniform continue functies over metrische ruimten liften tot uniform 
continue functies over de completering van die metrische ruimten. 

Hoofdstuk 11 definieert de reele getallen als de completering van de rationale 
getallen. De lichaamsoperaties voor de reele getallen worden gedefinieerd door de 
operaties van de rationale getallen te liften. Andere elementaire functies definieer ik 
eerst op de rationale getallen als de limiet van een machtreeks. Daarna worden ook 
zij gelift zodat ze op alle reele getallen werken. Sectie 11.5 beschrijft manieren om 
sommige veelvoorkomende operaties efficienter te definieren. A1 mijn functies 
kunnen worden uitgevoerd binnen Coq en zijn efficient genoeg om benaderingen 
praktisch uit te rekenen. Ik heb een tactiek geschreven die zulke berekeningen 
gebruikt om ongelijkheden tussen gesloten uitdrukkingen van reele getallen op te 
lossen. 

Het doel van mijn werk aan volledige metrische ruimten is de reele getallen te defi¬ 
nieren. Echter, mijn implementatie van volledige metrische ruimten is algemeen. 
Als illustratie hiervan beschrijft Hoofdstuk 12 de metrische ruimte van integreer- 
bare functies als de completering van de formele stapfuncties met de Zd-metriek. 
Uniform continue functies kunnen worden afgebeeld op integreerbare functies op [0, 
1] en geintegreerd worden. Sectie 12.1.8 toont hoe de Stietljes integraal gratis uit 
dit werk volgt. 
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Hoofdstuk 13 geeft een andere toepassing van volledige metrische ruimten, dit keer 
op compacte verzamelingen. De metrische ruinate van compacte verzamelingen 
wordt als de completering van de ruimte van eindige verzamelingen met de Haus- 
dorffmetriek gedefinieerd. Dit betekent dat elke compacte verzameling benaderd 
kan worden door een eindige verzameling. Bovendien kan zo’n eindige verzameling 
worden gerasterd en weergegeven in het Coq systeem. Ik toon bijvoorbeeld aan dat 
de grafiek van een uniform continue functie op een compact interval compact is. 
Figuur 13.1 toont een benadering van de exponentiele functie getekend met Coq. 
Sectie 13.2.2 geeft een mooi voorbeeld hoe men klassieke en constructieve redene- 
ringen kan mixen. Sectie 13.6 bespreekt waarom ik denk dat constructieve logica 
een betere taal is om te praten over berekenbaarheid dan de klassieke berekenbaar- 
heidstheorie. 

Hoofdstuk 14 eindigt met conclusies uit dit onderzoek. 
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